Current through Register Vol. 54, No. 38, September 21, 2024
This section describes procedures for determining access
to customer information and the purposes for which this information may be used
by employees, agents or independent contractors responding to requests for
customer information from persons outside the telecommunications company and
the recording of use and disclosure of customer information.
(1)
Access to and use of customer
information. Access to and use of customer information shall be
limited to employees, agents or independent contractors who have a legitimate
need to use the information in the performance of their work duties and,
because of the nature of their duties, need to examine the data to accomplish
the legitimate and lawful activities necessarily incident to the rendition of
service by the telecommunications company. An employee, agent or independent
contractor shall be prohibited from using customer information for personal
benefit or the benefit of another person not authorized to receive the
information.
(2)
Requests
from the public. Customer information that is not subject to public
availability may not be disclosed to persons outside the telecommunications
company or to subsidiaries or affiliates of the telecommunications company,
except in limited instances which are a necessary incident to:
(i) The provision of service.
(ii) The protection of the legal rights or
property of the telecommunications company where the action is taken in the
normal course of an employee's, agent's or independent contractor's
activities.
(iii) The protection of
the telecommunications company, an interconnecting carrier, a customer or a
user of service from fraudulent, unlawful or abusive use of service.
(iv) A disclosure that is required by a valid
subpoena, search warrant, court order or other lawful process.
(v) A disclosure that is requested or
consented to by the customer or the customer's attorney, agent, employee or
other authorized representative.
(vi) A disclosure request that is required or
permitted by law, including the regulations, decisions or orders of a
regulatory agency.
(vii) A
disclosure to governmental entities if the customer has consented to the
disclosure, the disclosure is required by a subpoena, warrant or court order or
disclosure is made as part of telecommunications company service.
(3)
Limitation on
disclosures to agents, contractors, subsidiaries or affiliates. To
comply with this subchapter, a telecommunications company may not allow
disclosure of customer information to an agent, contractor, subsidiary or
affiliate it has entered in a direct contractual relationship with or to the
agents, independent contractors, subsidiaries or affiliates of a party it has
entered into a contract with absent the prior establishment of terms and
conditions for the disclosure pursuant to a written agreement that requires:
(i) Treatment of the information as
confidential.
(ii) Use of the
information by the contracting party or any of its respective employees, agents
or independent contractors for only those purposes specified in the contract or
agreement. The contract shall require the contracting party to establish a
confidentiality statement which provides confidentiality protections which are
no less than those required of the telecommunications company by this
subchapter and to maintain the same commitment to the protections in §
63.134 (relating to commitment to
confidentiality of customer communications and customer information). The
contract may not allow the interception or use of the customer information or
customer communications in a manner not authorized with respect to a
telecommunications company's employee, agent or independent contractor. The
contracting party shall also be subject to the operational restrictions
specified in this subchapter with regard to the handling of customer
communications and customer information as would otherwise apply to a
telecommunications company's employee, agent or independent
contractor.
(iii) Nondisclosure of
the customer information and customer communications to third parties except as
required by law.
(4)
Requests from law enforcement agencies and civil litigation.
Government administrative, regulatory and law enforcement agencies and parties
in civil litigation may be able to compel the telecommunications company to
disclose customer information by serving upon the utility a subpoena, search
warrant, court order or other lawful process.
(i) In response to legal process requiring
the disclosure of customer information, the security department shall make the
necessary arrangements with the government agency or attorney who caused the
legal process to be issued regarding the information to be produced and the
identity of the employee, agent or independent contractor or other
telecommunications company representative who will produce the information. The
employee, agent or independent contractor assigned to produce this information
shall secure the information, including applicable records, from the department
having possession of the information and records and shall ascertain the
meaning of a code word or letters or nomenclature which may appear on the
records, to explain the meaning, if requested to do so. The employee, agent or
independent contractor shall then comply with the legal process.
(ii) If information, including applicable
records, is unavailable, the employee, agent or independent contractor selected
to respond to the legal process shall be prepared to explain the unavailability
of the information requested.
(iii)
When a request for customer information is presented by a law enforcement
agency, but that request is not accompanied by legal process, the request shall
be referred to the security department. Absent legal process, the security
department may not make disclosure of customer information to a law enforcement
agency, except as required or permitted by law. Written, oral or other
communication to law enforcement officials to indicate whether obtaining legal
process would be worthwhile is prohibited by the Commission.
(5)
Safeguarding customer
information. A telecommunications company is responsible for
implementing appropriate procedures to safeguard customer information and
prevent access to it by unauthorized persons. Tangible customer records such as
paper or microfiche records and electromagnetic media shall be stored in secure
buildings, rooms and cabinets, as appropriate, to protect them from
unauthorized access. Data processing and other electronic systems shall contain
safeguards, such as codes and passwords, preventing access to customer
information by unauthorized persons.
(i)
Transmission of customer information. Customer information
shall be transmitted in a manner which will reasonably assure that the
information will not be disclosed to persons who are not authorized to have
access to it.
(ii)
Reproduction. Customer records may not be reproduced unless
there is a business need for the reproduction. Only sufficient copies shall be
made to satisfy the business purpose for the reproduction.
(iii)
Destruction of customer
records. Customer records shall be disposed of by the most
advantageous method available at each location when retention of the records is
no longer required by applicable Federal Communications Commission (FCC)
regulations, other legal requirements, contract provisions such as government
contract requirements or appropriate document retention guidelines.
(6)
Recording use and
disclosure of customer information. Because of the frequency with
which customer information is used and disclosed in the ordinary course of
business, it is neither practical nor desirable to record each instance in
which customer information is used or disclosed by an employee, agent or
independent contractor. However, the importance of some forms of customer
information and the circumstances under which the information may be used or
disclosed dictate that a record is required of the use or disclosure of
customer information, as follows:
(i) Each
instance in which customer information is used or disclosed for purposes other
than to furnish service to the customer, to collect charges due from the
customer or to accomplish other ordinary and legitimate business
purposes.
(ii) Each instance in
which information is disclosed to persons outside of the telecommunications
company, subject to subparagraph (i).
(iii) Each instance in which customer
information is disclosed to a governmental entity or the telecommunications
company security department.
(iv)
Each instance in which a record is required by other telecommunications company
practices or procedures.
(7)
Annual notice of Customer
Proprietary Network Information (CPNI) rights. The telecommunications
company shall provide an annual written notice of CPNI rights, as defined by
the FCC, to customers with less than 20 access lines. The notice shall be
submitted to the Commission's Bureau of Consumer Services for plain language
review prior to issuance.
The provisions of this § 63.135 amended under
66 Pa.C.S. §
3019(b)(2) and
(3).
This section cited in 52 Pa. Code §
63.143 (relating to code of
conduct).
