Skip to content

Protecting Personal Data: A Guide for Utilities and Environmental Businesses

In Short

  • Utilities and environmental businesses handle sensitive personal data, including customer details, smart meter readings, and employee information, requiring careful management and protection.
  • Compliance involves maintaining a clear privacy policy, collecting only necessary data, securing information, and training employees on their privacy obligations.
  • Data sharing with other entities must be controlled, lawful, and supported by agreements defining purpose, security, and breach procedures.

Tips for Businesses

Ensure your business has a robust privacy policy that clearly explains how personal data is collected, used, and shared. Train employees on privacy responsibilities, secure both digital and hard copy records, and implement clear data-sharing agreements. Even small businesses must take care to protect client and employee information and maintain confidentiality


Table of Contents

As a utilities or environmental business, you will interact with a range of personal information from clients and employees. While you know how important it is to deal with that personal information correctly, you may wonder what your legal obligations are. This article will take you through your legal requirements for dealing with personal information as a utilities or environmental business and outline some of the steps you can take to protect personal data.

The Unique Data Landscape for Utilities and Environmental Businesses

As a utility or environmental business, you likely collect and manage several unique types of data that set you apart from other industries. 

This may include real-time energy consumption data from smart meters, which can reveal detailed patterns of household activities. You may also gather data from distributed energy resources, such as solar panels or home batteries, providing insights into energy generation and storage at the individual property level. This data may be integral to providing your services; however, it is essential to recognise that it can also be highly personal, potentially revealing intimate details about customers’ lifestyles and behaviours. Therefore, you must treat this data with care and implement robust protection measures.

The energy and environmental sectors are subject to specific regulatory requirements that intersect with data protection laws, including the National Electricity Rules and the Consumer Data. The National Electricity Rules provide guidelines on what data network service providers can share with the Australian Energy Market Operator (AEMO).

The Consumer Data Right (CDR) facilitates the efficient and easy sharing of data between energy providers. The CDR imposes further obligations on you with respect to obtaining consent and sharing consumer data separate from your general privacy obligations under privacy laws:

  • provide the necessary infrastructure to enable requests to be made for product and consumer data;
  • disclose general product data about products you offer, including interest rates, fees and charges;
  • obtain the required consumer authorisations, and facilitate the secure transfer of a consumer’s data and any amendment or withdrawal to such consumer authorisation; and 
  • manage a consumer’s authorisation with respect to the disclosure of CDR data, including any amendment of withdrawal of such authorisation. 

You should ensure that you are familiar with these requirements and how they apply to you.

Continue reading this article below the form
Loading form

Business Size

The first step in working out your legal obligations for handling personal data is to determine whether your business is classified as large or small. A small business has an annual turnover of less than $3 million, while a business with more than $3 million in annual turnover is considered a large business for the purposes of personal data laws.

Personal Information

No matter what size your business is, knowing your obligations when dealing with personal data and information is essential. As a utilities or environmental business, you deal with a range of personal data, including:

  • customer details (names, addresses, contact information);
  • energy consumption patterns;
  • payment and billing information;
  • smart meter readings;
  • data from customer-owned energy resources; and
  • your clients’ and employees’ bank information.

Your Obligations When Managing Personal Information

You must be open and transparent about how you manage personal information. Clients and employees should clearly understand how their data will be used. To support this, your business needs an up-to-date and detailed privacy policy. You should also ensure that only authorised people can access personal information and that the data collected is kept secure and not tampered with.

Your Obligations When Collecting Personal Information

Only collect personal information that is necessary for business purposes. This may include collecting an employee’s bank details for payroll purposes. If you receive personal data that was not requested, ensure you either securely delete it or anonymise it. Always take care to collect only accurate personal information.

Your Obligations When Disclosing Personal Information

If you are disclosing personal data to others, make sure it is only used for the same reasons that you first collected it. For example, where you have collected a client’s address for billing purposes, the address can only be disclosed to others if for the same billing purpose.

As a utilities or environmental business, you may also need to share data with other entities in the industry. This could include:

  • providing grid performance data to market regulators;
  • sharing consumption data; and
  • collaborating with CER manufacturers and retailers.

Make sure not to disclose government-related identifying information about your clients or employees. This could include an employee’s tax file number.

When engaging in such data sharing, having robust data sharing agreements in place can avoid potential issues. These agreements should clearly define:

  • what data can be shared and for what purposes;
  • security requirements for all parties;
  • procedures for handling potential data breaches; and
  • compliance with relevant privacy laws and regulations.

Your Obligations to Provide Information to Your Clients And Employees

Be sure to make the reasons you are collecting personal data and the consequences if that data is not collected clear to clients and employees, and let them know whether and to whom you would typically disclose personal information of the kind you are collecting. Ensure clients and employees have a copy of your privacy policy when you are dealing with their information. Give clients and employees access to their personal information.

Your Obligation to Provide Anonymity to Clients and Employees

You need to provide your clients and employees with the option to remain anonymous or use a pseudonym when their information is used. You do not need to do this if it would be impractical for the running of your utilities or environmental business.

Small Business Obligations

Businesses with less than $3 million in annual turnover have different obligations than large businesses. If you run a small business, you are required to take reasonable care to ensure personal information is not accessed or used without permission.

Keep in Line With the Law

Maintain a Detailed Privacy Policy

A robust privacy policy is essential to ensuring you meet your privacy obligations. A good privacy policy will make clear what personal information you will collect and what you will use it for. LegalVision’s experienced utilities and environmental lawyers can help you create a privacy policy that satisfies the law and ensures your clients and employees feel safe knowing you are taking the proper steps to protect their information. 

Make Employees Aware of Their Obligations

By training your employees on their privacy obligations on a regular basis, you make sure that they are able to uphold their and your company’s privacy obligations. New employees should also be given detailed instructions on their responsibilities when dealing with personal information.

Keep Personal Information Secure

Above all, keeping the personal information you collect safely is essential. Investing in quality digital record management software and being diligent with hard copy information will ensure that you meet your personal data management obligations.

Front page of publication
2025 Key Privacy and Data Developments

This fact sheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.

Download Now

Key Takeaways

As a utilities or environmental business, lawfully dealing with client and employee data is very important. Your obligations will be more extensive and detailed as a large business. As a small business, you still have an obligation to keep information confidential. A detailed privacy policy, employee awareness and robust security infrastructure will enable you to meet your personal information obligations.

If you need help dealing with client and employee personal data, our experienced utilities and environmental lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What types of personal data do utilities and environmental businesses handle?

Utilities and environmental businesses handle a wide range of personal data, including customer contact details, smart meter readings, energy consumption patterns, billing information, and employee bank details. Some of this data can reveal highly personal lifestyle information, so you must treat it carefully and apply strong protection measures.

How can my utilities or environmental business comply with privacy obligations?

You can comply by maintaining a detailed privacy policy, collecting only necessary personal data, and using it strictly for the purpose collected. Train employees on privacy responsibilities, secure records with reliable systems, and implement robust data-sharing agreements. These steps help meet legal obligations and safeguard the trust of both clients and employees.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Maddison Zahra

Maddison Zahra

Lawyer | View profile

Maddison is a Lawyer at LegalVision, working in the Corporate and Commercial Team. She has particular expertise in commercial contracts, data and privacy and regulatory compliance advice for small businesses and startups within the Australian landscape. She also has previous experience in Government and Property Law, where she worked with a variety of clients, from small to medium businesses to large corporate and Government clients.

Qualifications:  Bachelor of Laws, Bachelor of International Studies, University of New South Wales.

Read all articles by Maddison

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards