Pennsylvania Code (Last Updated: April 5, 2016) |
Title 52. PUBLIC UTILITIES |
PART I. Public Utility Commission |
Subpart C. Fixed Service Utilities |
Chapter 63. Telephone Service |
SubChapter J. CONFIDENTIALITY OF CUSTOMER COMMUNICATIONSAND INFORMATION |
Section 63.135. Customer information
-
This section describes procedures for determining employe access to customer information and the purposes for which this information may be used by employes responding to requests for customer information from persons outside the telephone company and the recording of use and disclosure of customer information.
(1) Employe access to and use of customer information. Access to and use of customer information shall be limited to employes who have a legitimate need to use the information in the performance of their work duties and, because of the nature of their duties, need to examine the data to accomplish the legitimate and lawful activities necessarily incident to the rendition of service by the telephone company. An employe shall be prohibited from using customer information for personal benefit or the benefit of another person not authorized to receive the information.
(2) Requests from the public. Customer information that is not subject to public availability may not be disclosed to persons outside the telephone company or to subsidiaries or affiliates of the telephone company, except in limited instances which are a necessary incident to:
(i) The provision of service.
(ii) The protection of the legal rights or property of the telephone company where the action is taken in the normal course of an employes activities.
(iii) The protection of the telephone company, an interconnecting carrier, a customer or a user of service from fraudulent, unlawful or abusive use of service.
(iv) A disclosure that is required by a valid subpoena, search warrant, court order or other lawful process.
(v) A disclosure that is requested or consented to by the customer or the customers attorney, agent, employe or other authorized representative.
(vi) A disclosure request that is required or permitted by law, including the regulations, decisions or orders of a regulatory agency.
(vii) A disclosure to governmental entities if the customer has consented to the disclosure, the disclosure is required by a subpoena, warrant or court order or disclosure is made as part of telephone company service.
(3) Limitation on disclosures to agents, contractors, subsidiaries or affiliates. To comply with this subchapter, a telephone company may not allow disclosure of customer information to an agent, contractor, subsidiary or affiliate (the contracting party) absent the prior establishment of terms and conditions for the disclosure pursuant to a written agreement that requires:
(i) Treatment of the information as confidential.
(ii) Use of the information by the contracting party or any of its respective employes for only those purposes specified in the contract or agreement. The contract shall require the contracting party to establish a confidentiality statement which provides confidentiality protections which are no less than those required of the telephone company by this subchapter and to maintain the same employe commitment to the protections in § 63.134 (relating to employe commitment to confidentiality of customer communications and customer information). The contract may not allow the interception or use of the customer information or customer communications in a manner not authorized with respect to a telephone company employe. The contracting party shall also be subject to the operational restrictions specified in this subchapter with regard to the handling of customer communications and customer information as would otherwise apply to a telephone company employe.
(iii) Nondisclosure of the customer information and customer communications to third parties except as required by law.
(4) Requests from law enforcement agencies and civil litigation. Government administrative, regulatory and law enforcement agencies and parties in civil litigation may be able to compel the telephone company to disclose customer information by serving upon the utility a subpoena, search warrant, court order or other lawful process.
(i) In response to legal process requiring the disclosure of customer information, the security department shall make the necessary arrangements with the government agency or attorney who caused the legal process to be issued regarding the information to be produced and the identity of the employe or other telephone company representative who will produce the information. The employe assigned to produce this information shall secure the information, including applicable records, from the department having possession of the information and records and shall ascertain the meaning of a code word or letters or nomenclature which may appear on the records, to explain the meaning, if requested to do so. The employe shall then comply with the legal process.
(ii) If information, including applicable records, is unavailable, the employe selected to respond to the legal process shall be prepared to explain the unavailability of the information requested.
(iii) When a request for customer information is presented by a law enforcement agency, but that request is not accompanied by legal process, the request shall be referred to the security department. Absent legal process, the security department may not make disclosure of customer information to a law enforcement agency, except as required or permitted by law. Written, oral or other communication to law enforcement officials to indicate whether obtaining legal process would be worthwhile is prohibited by the Commission.
(5) Safeguarding customer information. A telephone company is responsible for implementing appropriate procedures to safeguard customer information and prevent access to it by unauthorized persons. Tangible customer records such as paper or microfiche records and electromagnetic media shall be stored in secure buildings, rooms and cabinets, as appropriate, to protect them from unauthorized access. Data processing and other electronic systems shall contain safeguards, such as codes and passwords, preventing access to customer information by unauthorized persons.
(i) Transmission of customer information. Customer information shall be transmitted in a manner which will reasonably assure that the information will not be disclosed to persons who are not authorized to have access to it.
(ii) Reproduction. Customer records may not be reproduced unless there is a business need for the reproduction. Only sufficient copies shall be made to satisfy the business purpose for the reproduction.
(iii) Destruction of customer records. Customer records shall be disposed of by the most advantageous method available at each location when retention of the records is no longer required by applicable Federal Communications Commission (FCC) regulations, other legal requirements, contract provisions such as government contract requirements or appropriate document retention guidelines.
(6) Recording use and disclosure of customer information. Because of the frequency with which customer information is used and disclosed in the ordinary course of business, it is neither practical nor desirable to record each instance in which customer information is used or disclosed by an employe. However, the importance of some forms of customer information and the circumstances under which the information may be used or disclosed dictate that a record is required of the use or disclosure of customer information, as follows:
(i) Each instance in which customer information is used or disclosed for purposes other than to furnish service to the customer, to collect charges due from the customer or to accomplish other ordinary and legitimate business purposes.
(ii) Each instance in which information is disclosed to persons outside of the telephone company, subject to subparagraph (i).
(iii) Each instance in which customer information is disclosed to a governmental entity or the telephone company security department.
(iv) Each instance in which a record is required by other telephone company practices or procedures.
(7) Annual notice of Customer Proprietary Network Information (CPNI) rights. The telephone company shall provide an annual written notice of CPNI rights, as defined by the FCC, to customers with less than 20 access lines. The notice shall be submitted to the Commissions Bureau of Consumer Services for plain language review prior to issuance.
Notation
This section cited in 52 Pa. Code § 63.143 (relating to code of conduct).