Strong consumer data privacy protections are essential to maintaining the trust of our customers. We understand the importance of protecting the personal information we collect from the public. This document is intended to emphasize the PUD’s commitment to protect customer data from unauthorized disclosure or breach of security throughout the lifecycle of the data. It will also help the PUD and its customers understand some of the requirements imposed by RCW’s related to data security, and will recommend some best practices utilities can follow to add levels of security above and beyond the minimum state requirements.
Customer information [Personally Identifiable Information (PII) as defined on page 6 is collected and used to perform essential business functions such as operating and maintaining the system, managing outages, processing customer bills, credit and collections, conservation and usage management, etc. With the implementation of automated metering, even more detailed customer data is now being collected. Utilities must be committed to protecting the security and privacy of all customer data, and to conform to applicable laws and regulations, to keep this information private and secure.
This document is divided into several sections:
- Section 2 includes information that may not be required by statute but should be considered as the PUD develops internal policies and practices, and customer-facing documents, related to customer data privacy.
- Section 3 addresses the PUD obligations when a breach of customer personal information has occurred. The breach can occur at the utility, or at a utility subcontractor that has customer information.
- Section 4 – Investigation and Resolution of Complaints.
- Addendums include examples of internal and external policies and documents that utilities can use as resources when drafting their own policies.
2.1 Personally Identifiable Information
The District is committed to the protection of “PII” or “Data” and to preventing its unauthorized use or disclosure. Information considered PII covered by this Policy is limited to a [customer’s]:
- Street addresses
- Telephone numbers
- Email addresses
- Social Security or Unified Business Identifier (UBI) numbers
- Account numbers (Named Utility account numbers, credit card numbers, bank account numbers)
- Account balances
- Any information received during the identity and customer credit worthiness process
- Identity information provided on a driver’s license, passport, etc.
- Meter interval/electricity use data for less than a billing cycle.
Definition for the Use and Release of PII – Primary vs. Secondary Purpose
When customer Data is released to a contractor/subcontractor or other third party, the purpose of the release of the Data may be for either a “Primary” or “Secondary” purpose, as follows:
Primary Purpose – When Data is released for the purpose of performing essential business functions, such as billing or bill presentment, maintenance, and management functions including legal, audit, and collection services, energy efficiency program validation or administration (such as provision of energy efficiency information to BPA), customer surveys and other essential business functions, it is deemed to be for a “Primary Purpose.” When Data is released to a third party under contract to the utility to provide services that serve a Primary Purpose, the third party shall be bound to comply with all applicable state and federal laws and by this Policy, and shall be prohibited from further disclosing or selling any private or proprietary customer information obtained from the utility to a party that is not the utility and not a party to the contract with the utility.
Secondary Purpose – When Data is released for the purpose of marketing services or product offerings that the customer does not already subscribe to, it is deemed to be for a Secondary Purpose. Data released for a Secondary Purpose requires affirmative customer consent (see definition of Affirmative Consent below). Requests for customer Data used for Secondary Purposes might come from a customer asking for their Data to be shared directly to a third party vendor, from a vendor asking for customer Data for marketing purposes.
Notwithstanding the foregoing, nothing in this Policy is intended to prohibit or prevent the District from inserting any marketing information into the retail electric customer’s billing package.
2.2 Affirmative Customer Consent – Release of Data for Secondary Purpose
Prior to releasing customer Data for a Secondary Purpose, the customer’s prior permission (“Affirmative Consent”) must be obtained for each instance of release of Data, unless the customer has previously provided Affirmative Consent to release Data to the same third party. Customers who wish to authorize or direct the District to disclose their PII to a third party may do so by contacting the District.
The following is necessary to meet the requirements of Affirmative Consent, which can be provided electronically or via hard copy:
- The consent must include the date or time period for which the consent is granted.
- The consent must specify the party or parties the customer has authorized the release of their Data to, including any affiliates and third parties.
- The District must validate that the individual providing the consent matches the name, service address and account number of the customer of record in the District’s customer information system.
- A record for each instance the customer has given written or electronic consent must be maintained, following applicable records retention guidelines.
The attached “Customer Authorization to Release Information” (CARI) is provided as a template to use to obtain/provide consent from a customer for the release of Data. However, Affirmative Consent may be provided in writing or electronically (e.g. by e-mail) if it reasonably identifies information covered by the template.
Customers who have given Affirmative Consent also have the right to retract said consent at any time, but only for release of Data from the time of retraction forward.
2.3 Aggregated Data
Aggregated data is data that is considered sufficiently consolidated so that any individual customer cannot reasonably be identified. The District will generally follow a 15/15 rule, which means that aggregated data must include the data of at least 15 customers, and that no single customer included in the sample comprises more than 15% of the total load in the aggregated data set. Any PII must be removed from the aggregated data before release.
Affirmative Consent is not required when releasing aggregated data that meets this definition.
2.4 Disclosure of PII to Contractors/Subcontractors
As an electric utility, the District may engage contractors to provide services in support of primary and secondary business functions as noted above. In accordance with RCW 19.29A.100(5), the District shall require its contractors who will receive PII to sign a Confidentiality and Non-Disclosure Agreement (CNDA), including an agreement to be bound by this Policy. Further, the District’s contractors shall be responsible for assuring that any a subcontractor or other third party they engage to provide services in support of their contract with the District is in compliance with this Policy. Any breach of this agreement by any contractor may subject the contractor to potential remedies available to the utility or to the customer, including under the state’s Consumer Protection Act.
Release of PII for Primary Purpose
The General Manager (or an employee designated by the General Manager) of the District must review and approve any proposed or requested disclosure of PII to a third party contractor to determine if disclosing the PII to the contractor/subcontractor is necessary to meet a business objective that is a Primary Purpose and complies with this Policy. An approval only needs to be obtained the first time the District contracts with that entity. Subsequent requests are only required if additional types of PII will be provided to the contractor.
Release of PII for Secondary Purpose
The General Manager (or an employee designated by the General Manager) must obtain completed CARI forms from each customer whose Data will be shared for a Secondary Purpose. Copies of the forms shall be retained by the District in accordance with RCW 19.29A.100 and its Record Retention Policy.
Disclosure of PII During Customer Transactions
The District considers security of PII a top priority. Before releasing PII to a third party at the request of a customer, the District will take reasonable measures to verify the identity of the third party.
Disclosure of PII to Law Enforcement
The District will comply with RCW 42.56.235, which gives law enforcement authorities a mechanism to obtain records of individuals who are suspected of committing a crime. The law enforcement officer must complete a “Request for Inspection, Copying or Obtaining of Public Records by Law Enforcement Agencies” form before certain PII will be released to the requesting officer.
Customer information that is strictly protected from disclosure by law will not be released to law enforcement under the above process. In order for law enforcement to obtain this type of exemptible data, a subpoena, warrant or other form of court order must be obtained by the requesting agency.
All requests for PII by law enforcement should be processed through the District’s Public Records Officer.
In accordance with RCW 42.56.590, utilities are required to disclose any breach of personal information to their customers whose data was breached. Customer’s personal information is defined above in the Personal Identifiable Information definition. This notice needs to be provided as soon as the utility discovers the breach or is notified of the breach; for example, notified by a third party vendor of a breach of their system.
The following is a summary of some key points of this RCW. It is recommended the utility refer to the full RCW for the full list of requirements.
- Notice is not required if the breach is not likely to subject the customer to a risk of harm.
- Notification required by this section may be delayed if a law enforcement agency will impede a criminal investigation.
- The notice can be written or electronic, but if electronic there are some additional requirements.
- Depending on the cost of the notification, other options exist to provide this notification.
4. Investigation and Resolution of Complaints
Any requests for or disputes relating to, access, correction, or other matters involving a customer’s PII or potential or suspected violation of this policy by the District or a vendor under contract to the District should be directed to the District as follows: PUD Records Management [insert office/department, address, email, telephone]. [See attached description of complaint Investigation Process.] The District will investigate the complaint and, when the results are determined, work with the complainant to communicate its findings and resolve the complaint. The complainant may appeal the findings of the investigation to the District’s Governing Board for further review and resolution. If the investigation or review of the complaint finds a possible breach of this policy by a third party, the District will work with the customer in an effort to resolve the complaint; provided, nothing in this Policy is intended to require a customer to request that the District investigate an improper release or use of PII by a third party prior to exercising any applicable legal remedies against the third party.
Addendum 1: Non-Disclosure Agreement Checklist (Internal Facing)
The General Manager or an employee designated by the General Manager shall complete a review of this checklist prior to the release of customer PII as part of a vendor agreement under which the District will release PII to the vendor. The following customer/vendor/employee information will be shared with <Vendor Name> (check all that apply):
- ______ Names
- ______ Street addresses
- ______ Telephone numbers
- ______ Email addresses
- ______ Social Security or Unified Business Identifier (UBI) numbers
- ______ Account numbers (Named Utility account numbers, credit card numbers, bank account numbers)
- ______ Account balances
- ______ Any information received during the identity and customer credit worthiness process
- ______ Identity information provided on a driver’s license, passport, etc.
- ______ Meter interval/electricity use data.
I have reviewed the information and data sharing request and believe that the PII identified above is that which is minimally necessary to accomplish the business objective, and that the data is being used for a primary purpose. A non-disclosure agreement is required with the contract.
Addendum 2: Confidentiality and Nondisclosure Agreement (Internal/Vendor Facing)
CONFIDENTIALITY AND NONDISCLOSURE AGREEMENT
This Confidentiality Agreement (“Agreement”) is by and between Public Utility District #1 of Jefferson County (“JPUD”) a municipal corporation governed under RCW 54 of the laws of the State of Washington, and ____________________ (“Contractor”).
For purposes of this Agreement, “Confidential Information” shall include JPUD customer, employee, or vendor information, all technical and business information or material that has or could have commercial value or other interest in the business or prospective business of JPUD, and all information and material provided by the JPUD which is not an open public record subject to disclosure under the Washington Public Records Act. Confidential Information also includes all information of which unauthorized disclosure could be detrimental to the interests of JPUD or its customers, whether or not such information is identified as Confidential Information.
For purposes of this Agreement, “Contractor” shall include all employees, consultants, advisors and subcontractors of Contractor (“its Representatives”).
Contractor hereby agrees as follows:
- Contractor and its Representatives shall use the Confidential Information solely for the purposes directly related to the business set forth in Contractor’s agreement with JPUD and shall not in any way use the Confidential Information to the detriment of JPUD. Nothing in this Agreement shall be construed as granting any rights to Contractor, by license or otherwise, to any JPUD Confidential Information.
Contractor agrees to obtain and utilize such Confidential Information provided by JPUD solely for the purposes described above, and to otherwise hold such information confidential pursuant to the terms of this Agreement.
- In the event third parties attempt to obtain the Confidential Information by legal process, the Contractor agrees that it will not release or disclose any Confidential Information until JPUD has notice of the legal process and has been given reasonable opportunity to contest such release of information and/or to assert the confidentiality privilege.
- Upon demand by JPUD, all information, including written notes, photographs, memoranda, or notes taken by Contractor that is Confidential Information shall be returned to JPUD.
- Confidential Information shall not be disclosed to any third party without prior written consent of JPUD.
- It is understood that Contractor shall have no obligation with respect to any information known by it or generally known within the industry prior to the date of this Agreement, or become common knowledge with the industry thereafter.
- Contractor acknowledges that any disclosure of Confidential Information will cause irreparable harm to the JPUD, and agrees to exercise the highest degree of care in safeguarding Confidential Information against loss, theft, or other inadvertent disclosure and agrees generally to take all steps necessary to ensure the maintenance of confidentiality including obligating any of its Representatives who receive Confidential Information to covenants of confidentiality.
- The obligation set forth in this Agreement will continue for as long as Contractor possesses Confidential Information. If Contractor fails to abide by this Agreement, the JPUD will be entitled to specific performance, including immediate issuance of a temporary restraining order or preliminary injunction enforcing this Agreement, and to judgment for damages caused by the Contractor’s breach, and to any other remedies provided by applicable law. Any breach of this Agreement shall constitute a default in performance by Contractor in any contract between the JPUD and Contractor. If any suit or action is filed by JPUD to enforce this Agreement, or otherwise with respect to the subject matter of this Agreement, the prevailing party shall be entitled to recover reasonable attorney fees incurred in the preparation or in prosecution or defense of such suit or action as affixed by the trial court, and if any appeal is taken from the decision of the trial court, reasonable attorney fees as affixed by the appellate court. This Agreement shall be governed by and construed in accordance with the laws of the State of Washington.
_________________________________ Dated: _____________________
_________________________________ Dated: _____________________
Addendum 3: Customer Authorization to Release Information (Customer Facing)
By signing this form I expressly authorize (Named Utility) to release the personally identifying information (PII) listed below to a third party.
Account Number: ___________________________________________
Name on Account: ___________________________________________
Service Address: ___________________________________________
Phone Number: ___________________________________________
Email Address: ___________________________________________ (if applicable)
I authorize the release of my customer data as follows:
The type of data to be released (i.e. usage or payment history, payment etc.) and the period in which the data covers (e.g. from January, 2014 through December, 2014) is further described below:
Name of Recipient/Business: _____________________________________________________
Phone Number: ___________________________________________________________
Manner in which data should be provided (mail, email, pick up): ______________________
Date(s) in which this release is in effect: _________________________________________
This data release is at the request of, and on behalf of the (Named Utility) customer listed above, and as such, the I agree to release and hold harmless (Named Utility) from any liability, claims, demands, causes of action, damages or expenses resulting from: 1) any release of information to the recipient noted above; 2) the unauthorized use of this information or data; and 3) from any actions taken by the recipient with respect to such information or data.
Account Holder Signature: ___________________________________ Date: _____________
Addendum 4: Appeals Process (Customer Facing)
Complaint Investigation Process A customer has the right to request that their utility investigate the potential release of their information.
A Customer shall utilize the following steps to initiate the investigation process:
- The utility must receive a customer’s written request by personal delivery, email or mail, and shall be addressed to the PUD#1 of Jefferson County.
- The request must contain a short, plain statement of potential data released, the reasons the customer believes that the utility or its vendor may be the cause of the release, the action requested by the customer, any other information the customer deems pertinent to the investigation, and the appropriate customer contact information for purposes of questions about and communication of the results of the investigation.
- Upon receipt of the request, the customer will be contacted by the utility’s designee(s) within _3__ business days and an informal conference will be scheduled.
- The utility’s designee(s) will investigate and inform the customer of their findings and report back their findings to the customer of the investigation.
- If the investigation is resolved to the satisfaction of the customer, the process is concluded.
- If the situation remains unresolved, the customer may appeal the results of the investigation to the governing board
Addendum 5: The Protection of Customer Data & Privacy (Customer Facing)
Our Customer Rights Statement shares our guiding principles for how we operate and conduct our business related to the security, privacy, and use of customer date, and matters of customer choice. Consumer trust is essential to the success of new technologies, and protecting the privacy of customer data is one crucial component of strengthening this trust.
JPUD collects and uses customer data to perform essential business operations such as operating and maintaining the system, managing outages and processing customer bills. In using this data, JPUD will conform to applicable laws and regulations intended to keep this information private and secure. Moreover, JPUD recognizes its responsibilities may appropriately extend beyond these laws and regulations and as such has developed this Customer Rights Statement.
JPUD customers have the right to:
- We will never sell our customer’s information. We only share customer information with third parties in order to conduct essential business functions (such as bill processing services). Our vendors are held accountable to the same standards regarding customer information shared with them.
- We only share or disclose customer information with the public in compliance with local, state, and federal laws. As a public entity, we will seek to protect the privacy of our customers’ personal information in complying with public records requests.
- We are committed to a fair resolution of privacy concerns. We provide our customers with an investigation and appeal process that allows them to resolve concerns regarding the release of their information.
- Data Security & Integrity
- We only capture data required to conduct our business and retain it only as needed.
- We design security into every data collection, access and transfer point.
- We will not transmit personally identifiable information over our Advanced Metering Infrastructure network.
- We implement measures to protect against a loss, misuse, and alteration of the information we control.
- We ensure delivery of an accurate bill and/or timely response if an error is discovered.
- We conduct business in an open, transparent manner where our privacy policies and decisions are available to the public.
- We provide information to our customers about all aspects of their account.
- Customer Choice
- The District does not currently have a time-of-use pricing program in place. In the event a time-of-use pricing program is considered, development of such a program will be conducted through an open, public process.
- We will not implement a Home Area Network that enables customers to monitor and control their own appliances without prior written consent.
- We are confident in the advanced meter technology that we have deployed: however customers may opt-out of our advanced meters. Fees are established to offset the cost of meter replacement and manual reads.
Addendum 6: Sample Law Enforcement Request Form (Internal)
REQUEST FOR INSPECTION, COPYING OR OBTAINING PUBLIC RECORDS BY LAW ENFORCEMENT AGENCIES
JPUD is governed by Title 54 of the Revised Code of Washington, and is subject to Washington state laws pertaining to the release of public records.
This document is provided to allow law enforcement agencies to obtain disclosure of public records in accordance with Resolution 2016-012 and the Washington Public Records Act. Authorized law enforcement representatives are required to provide proper identification and sign this form acknowledging the records being requested are being obtained pursuant to the requirements of the Washington Public Records Act.
For further information, please contact [contact info]
Date of Request: ____________________
Requestor’s Name: _______________________________________________________
Representing Agency: _______________________________________________________
Identification provided: _______________________________________________________
Specific Document/Information requested: ________________________________________________________________________________
Legal Process Requirements: The following types of records, or portions thereof, will require a signed warrant and/or subpoena for processing: customer records containing banking information, including routing numbers, social security numbers, and credit card numbers. (This list may not be all inclusive.)
Requestor must review and sign prior to document/information being provided:
This request for customer information from JPUD is being made pursuant to the Washington Public Records Act. Upon signing this statement, the requestor acknowledges that the above information is being requested because they suspect that a particular person to whom the records pertain has committed a crime. The requestor further states that there is reasonable belief that the records being requested could determine or help determine whether their suspicion might be true.
________________________ (signature of requestor)