*4.1. Compulsory Functions*

The interval resolution and categories of data of compulsory functions are listed in Table 1 below. For billing purposes, the frequent transmission of the power consumption data would put consumers under the monitoring of the utility. For grid operation and management, although the utility requires high interval resolution data (seconds to 100 Hz), it is unnecessary to access every individual's power consumption; aggregated data of a defined area is more desirable. Most additional services provided by TP only require a specific part of the power consumption data (a certain period, a specific appliance power consumption, etc.), so, all TPs are to obey the data minimization principle (explained below), and only collect the minimum data required to complete the service.


**Table 1.** Summary of data granularity of different functionalities.

In the proposed strategy and model, it is not considered appropriate to authorize TTP (described earlier) to be responsible for data aggregation, since as a potential inner adversary TTP can still acquire valuable information during the aggregating process. Rather, substations could be a better choice for data aggregation. In countries such as the US and China, there is already an installation of substation-level supervisory control and data acquisition (SCADA) systems [69]. This provides evidence that substation-level smart metering or intelligent substation data would be a trend of the future smart grid system.

Moreover, in contrast to conventional smart metering systems that can only transmit a single temporal resolution trace, this novel scheme contains three communication channels to support multi-temporal resolutions data. These three channels are a high-frequency aggregated data channel, to transmit 100 Hz aggregated data measured at the distribution level substation; a TOU billing channel, to send dynamic TOU price information to smart meters and send bills to the ES monthly; and an additional service channel, to transmit selected data to support additional services. The smart meter in the scheme plays the role of the assistant processor rather than the information sender and receiver; it has basic computation ability to calculate billing inside the house rather than sending individual power consumption near real-time.

#### *4.2. Data Minimisation and Protection*

As one of the most vital principles of data protection, data minimization is mentioned in five separate sections in GDPR (Article 5 (Chapter II), Article 25 (Chapter IV), Article 47 (Chapter V), Article 89 (Chapter IX)) [9]. It highlights that limitations should be set on the measurement of personal data implemented by organizations; only the minimized information necessary to complete specific required purposes can be collected. More specifically, the data minimization principle for the smart grid is recommended in the US National Institute of Standards and Technology (NIST) Guidelines [32]. To deal with privacy risks caused by smart meters, strict limitations need to be set; only the data which are essential for smart grid operation should be collected (e.g., billing, demand-side management, grid planning). Data minimization is strongly related to protection from inner and outer attacks, as will be presented in the following section of the paper.
