One of the exciting innovations of IRA HOMES is the opportunity to adopt a data-driven approach to implementation. Instead of scraping data together to construct a compliance-focused evaluation, we now have the opportunity to put data at the center of program optimization with results closer to real-time. That means the data needs to flow securely to enable insights.
The DOE core application guidance and supporting documentation on data requirements provide states and their partners helpful references to develop necessary plans and actions to enable this future. Secure data handling will be needed to screen for eligibility, calculate rebates, and track and monitor performance for the program and by demographic or geographic boundary. While it may seem daunting, States can keep it manageable by starting collaboration with other agencies and utilities and engaging industry expertise.
In this blog, we provide an overview of the core requirements outlined in the guidance that support data-driven optimization and touch on the key considerations for developing a risk-based security plan.
In the guidance, DOE was clearly focused on the value of data-driven implementation. Key to the measured approach is ensuring secure data flows to optimize program performance and validate outcomes. States may have already initiated collaboration with their sister agencies, like regulatory commissions and utility and third-party stakeholder partners, to explore secure data strategies. Some state energy offices, already strapped for staff, may be concerned about taking on the extra burden of data handling. Agencies may also be wary of potential liabilities around data handling or be concerned that the effort needed to build out this infrastructure may distract from other aspects of successful program implementation.
States have several options for establishing secure data infrastructure tailored to their needs and existing capabilities. Clearly defining the roles and responsibilities of different entities involved in data management is a fundamental starting point. With clear roles established early, it will be easier for states to ensure that the necessary infrastructure and capacity to manage secure data flows is in place. Once established, states can iterate over time and evolve practices and procedures appropriate for a wider number of use cases. The HOMES rebate program represents one use case with a very specific focus, a set of necessary data, and potential controls on secure access that are appropriate and manageable for states to implement that will provide significant value to the program delivery.
Reporting Protocols & Compliance
The DOE Guidance outlines program requirements for documents, data, and other information that States (or their agents) will collect using Federal funds to implement and administer the Home Energy Rebates. Additional guidance documents offer the specifics on data fields to be submitted to DOE and clarify some remaining open questions on how the information may be shared with DOE.
State programs must collect key household information as required in the Data & Tools Requirements Guide to facilitate data sharing, audits, and evaluations. This guide is broken down into five parts:
- Parts 1 & 2 cover data collection, tracking, and reporting requirements for the Home Efficiency Rebates, including questions that states are required to answer prior to launching their programs, data requirements associated with individual rebate transactions, data requirements associated with overall rebate programs, and information regarding how states can share data with DOE.
- Part 3 lists additional data elements that DOE recommends states collect and DOE’s database will accept but are not required.
- Part 4 describes the primary functions that rebate programs must perform.
- Part 5 provides links to recommended workflows for fulfilling rebate processing and data requirements.
Each section provides more detail than we could possibly cover in this summary. It is worth noting that based on careful review, the requirements closely align with existing program models. These requirements have the potential to effectively guide program optimization through continuous feedback, rather than merely serving as a final compliance check.
Measured Pathway: Putting Data to Practical Use
Implementing a performance-based program like the measured path option in HOMES gives states the opportunity to turn data "obligations" into assets with a powerful feedback loop. When aggregators are paid based on the results achieved, states and their utility counterparts get an added layer of accountability and transparency often lacking in traditional energy efficiency programs.
Four key pieces of data are needed to calculate measured rebates:
When a State allows rebates using a measured savings approach, the State must calculate rebates consistent with Table 3 and based on
(1) the reported energy savings measured through DOE-approved open-source advanced M&V software,
(2) household income level,
(3) total project cost reflected in the final invoice or a payment rate as defined in Table 3, and
(4) home type consistent with the definitions in section 2.1.
- Source: PROGRAM REQUIREMENTS & APPLICATION INSTRUCTIONS p.13
The data needed to calculate energy savings includes customers' energy consumption before and after the intervention and the location (to enable weather normalization). Other information about the types of technologies installed could be optional but is a required field and can be used to provide insights for eligibility screening and pre-measurement savings estimates. Household income level, project costs, and home type are collected in the field during implementation and are useful for targeting and, in the case of income, essential for screening for rebate eligibility. Required data for the modeled pathway is essentially the same, with the exception of performance information—the most valuable part.
Section 126.96.36.199. of the DOE guidance specifies that for the measured approach, open-source M&V providers will need 12 months of energy usage data before and after the intervention or 9 months if peak seasons are included. This is the common practice for measured programs. Program implementers and data service providers can set up straightforward data transfer protocols with utilities that enable the necessary calculations and create appropriate steps for getting participant consent upon enrollment in the program. Establishing secure, reliable transfer protocols with utilities will significantly streamline savings tracking and payments for the program.
In addition to energy consumption data, states will collect roughly thirty fields of key non-energy parameters. The full list can be found on pages 6-11 of the Data Tools & Requirements Guide. DOE is working on a standardized system for states to upload the data to support reporting and their intended evaluation activities. This system will be optional for states to use but is encouraged. While some fields are not typical for measured programs, the bulk are standard and will allow program implementers to track the progress and performance of individual aggregators, particular building types, and technology combinations that drive the biggest savings. Allowing program implementers and administrators to "slice and dice" results by these parameters is how they can translate results into targeted, actionable feedback.
To further optimize and streamline implementation, states could organize all of this data upfront for the eligible population. Securely analyzing energy consumption patterns and other targeting parameters empowers states to strategically direct rebates for the greatest impact. It can be conducted and held securely using privatization approaches (anonymization for secure analysis and aggregation or differential privacy for secure sharing) to protect against the risk of harm from re-identifying anyone in the population. Customer-specific data is only shared with aggregators upon enrollment, including a consent process.
Data Access Plans & Risk-Based Security Assessment
The purpose of a risk-based approach is to replace an otherwise subjective gut check with a more guided decision-making approach that is scalable and proportionate, resulting in solutions that ensure data is useful while being sufficiently protected.
– Arbuckle, El Emam. Building an Anonymization Pipeline
Data security needs to be balanced with usability. A data access plan provides a roadmap to balancing these interests within a risk-based framework. Therefore, DOE requires a Utility Data Access Plan and a Privacy and Security Risk Assessment to show how States will maintain data flow security and minimize the risk of re-identification of individuals while still enabling the core uses of the data to support successful program implementation. In section 3.2.3. Program Requirements: Access to Residential Utility Data, DOE lays out expectations for a data access plan which should:
- Ensure that any data are transferred and maintained safely and securely, using established standards.
- Ensure that any parties participating in a program that requires energy consumption data have secure data protection and protocols that demonstrate the capability for a safe transfer of consumer data, including data for individual dwelling units and whole-building aggregate data for multifamily buildings.
- Determine which consumer consent processes the State will implement.
- Define energy consumption as primary or secondary purpose.
DOE also prepared a full set of considerations and recommendations pertaining to data access and sharing of utility energy consumption in the Utility Data Access Guidelines. As many states may be stepping into this conversation for the first time, the guidance provides a helpful starting point to navigate the topic with other state agencies and utilities.
For example, in the Utility Data Access Guidelines, DOE expands upon the key criteria, noting that data collected in administering state programs may be shared with program implementers and/or evaluators with whom they have a contractual relationship. By allowing State Energy Offices to designate agents, those with limited staff can instead rely on experienced third parties for secure data handling requirements. Implementers must implement risk-based security controls to ensure States are addressing data security and privacy. In a solicitation process, States can specify minimum criteria for potential vendors. Agents taking on this role must comply with the DOE guidance and would be well-positioned to support states in finalizing the plans. At a minimum, the controls must include documentation of a privacy and security risk assessment, rationale for categorizing the system, method for determining the risk impacts, and risks associated with data sharing. A copy of the privacy and risk assessment of State systems must be provided to DOE at least 60 days prior to the planned rebate program launch. DOE will review and approve this deliverable prior to approving the State for the rebate program launch.
As is best practice, DOE will require an independent third-party review of implementers' security and privacy controls at least once every three years. Implementers must have documented processes in place to monitor and address issues promptly. DOE may request copies of risk assessments, documentation from independent reviews, and/or documentation of risk or threat mitigation measures at any time. While not cited explicitly in the guidance, states should consider SOCII audit and certification as best practice and a minimum requirement when deciding who to contract as their advanced M&V open-source software provider or for other core data handling functions. SOCII certification would likely satisfy the DOE’s requirement and timeline for reviewing the security and privacy controls.
States that receive the federal funding for HOMES and HEERA rebate programs are required to retain records relating to their award for a period of 3 years from the date of submission of the final expenditure report. This archiving requirement is consistent with 2 CFR 200.334 through 200.338 federal requirements for data handling.
Data Infrastructure for a Market Transformation
DOE's data collection and transfer expectations may seem daunting at first glance. They are consistent, however, with existing practice for measured programs and are focused on the key essential information, even if there may be a few exceptions. Most importantly, they provide a path to enable a future of secure data-rich decision-making for demand-side resources. This core element of program design, deployment, and accountability will drive a transformation in the market that will last well beyond this program's funding horizon.
Reach out to discuss past lessons learned and new opportunities for developing a successful data access plan to enable a secure and robust feedback loop for this program.
Home Energy Rebate Program Requirements & Application Instructions—Issued by DOE July 27, 2023.
Data & Tools Requirements Guide—Issued by DOE July 27, 2023.
Utility Data Access Guidelines—Issued by DOE July 27, 2023
Energy Data Access: Guide to Leveraging Differential Privacy
Building an Anonymization Pipeline: Creating Safe Data; by Luk Arbuckle, Khaled El Emam ; (April 2020) Published by O'Reilly Media, Inc. ISBN: 9781492053439I;