§ 63.135. Customer information.
This section describes procedures for determining access to customer information and the purposes for which this information may be used by employees, agents or independent contractors responding to requests for customer information from persons outside the telecommunications company and the recording of use and disclosure of customer information.
(1) Access to and use of customer information. Access to and use of customer information shall be limited to employees, agents or independent contractors who have a legitimate need to use the information in the performance of their work duties and, because of the nature of their duties, need to examine the data to accomplish the legitimate and lawful activities necessarily incident to the rendition of service by the telecommunications company. An employee, agent or independent contractor shall be prohibited from using customer information for personal benefit or the benefit of another person not authorized to receive the information.
(2) Requests from the public. Customer information that is not subject to public availability may not be disclosed to persons outside the telecommunications company or to subsidiaries or affiliates of the telecommunications company, except in limited instances which are a necessary incident to:
(i) The provision of service.
(ii) The protection of the legal rights or property of the telecommunications company where the action is taken in the normal course of an employees, agents or independent contractors activities.
(iii) The protection of the telecommunications company, an interconnecting carrier, a customer or a user of service from fraudulent, unlawful or abusive use of service.
(iv) A disclosure that is required by a valid subpoena, search warrant, court order or other lawful process.
(v) A disclosure that is requested or consented to by the customer or the customers attorney, agent, employee or other authorized representative.
(vi) A disclosure request that is required or permitted by law, including the regulations, decisions or orders of a regulatory agency.
(vii) A disclosure to governmental entities if the customer has consented to the disclosure, the disclosure is required by a subpoena, warrant or court order or disclosure is made as part of telecommunications company service.
(3) Limitation on disclosures to agents, contractors, subsidiaries or affiliates. To comply with this subchapter, a telecommunications company may not allow disclosure of customer information to an agent, contractor, subsidiary or affiliate it has entered in a direct contractual relationship with or to the agents, independent contractors, subsidiaries or affiliates of a party it has entered into a contract with absent the prior establishment of terms and conditions for the disclosure pursuant to a written agreement that requires:
(i) Treatment of the information as confidential.
(ii) Use of the information by the contracting party or any of its respective employees, agents or independent contractors for only those purposes specified in the contract or agreement. The contract shall require the contracting party to establish a confidentiality statement which provides confidentiality protections which are no less than those required of the telecommunications company by this subchapter and to maintain the same commitment to the protections in § 63.134 (relating to commitment to confidentiality of customer communications and customer information). The contract may not allow the interception or use of the customer information or customer communications in a manner not authorized with respect to a telecommunications companys employee, agent or independent contractor. The contracting party shall also be subject to the operational restrictions specified in this subchapter with regard to the handling of customer communications and customer information as would otherwise apply to a telecommunications companys employee, agent or independent contractor.
(iii) Nondisclosure of the customer information and customer communications to third parties except as required by law.
(4) Requests from law enforcement agencies and civil litigation. Government administrative, regulatory and law enforcement agencies and parties in civil litigation may be able to compel the telecommunications company to disclose customer information by serving upon the utility a subpoena, search warrant, court order or other lawful process.
(i) In response to legal process requiring the disclosure of customer information, the security department shall make the necessary arrangements with the government agency or attorney who caused the legal process to be issued regarding the information to be produced and the identity of the employee, agent or independent contractor or other telecommunications company representative who will produce the information. The employee, agent or independent contractor assigned to produce this information shall secure the information, including applicable records, from the department having possession of the information and records and shall ascertain the meaning of a code word or letters or nomenclature which may appear on the records, to explain the meaning, if requested to do so. The employee, agent or independent contractor shall then comply with the legal process.
(ii) If information, including applicable records, is unavailable, the employee, agent or independent contractor selected to respond to the legal process shall be prepared to explain the unavailability of the information requested.
(iii) When a request for customer information is presented by a law enforcement agency, but that request is not accompanied by legal process, the request shall be referred to the security department. Absent legal process, the security department may not make disclosure of customer information to a law enforcement agency, except as required or permitted by law. Written, oral or other communication to law enforcement officials to indicate whether obtaining legal process would be worthwhile is prohibited by the Commission.
(5) Safeguarding customer information. A telecommunications company is responsible for implementing appropriate procedures to safeguard customer information and prevent access to it by unauthorized persons. Tangible customer records such as paper or microfiche records and electromagnetic media shall be stored in secure buildings, rooms and cabinets, as appropriate, to protect them from unauthorized access. Data processing and other electronic systems shall contain safeguards, such as codes and passwords, preventing access to customer information by unauthorized persons.
(i) Transmission of customer information. Customer information shall be transmitted in a manner which will reasonably assure that the information will not be disclosed to persons who are not authorized to have access to it.
(ii) Reproduction. Customer records may not be reproduced unless there is a business need for the reproduction. Only sufficient copies shall be made to satisfy the business purpose for the reproduction.
(iii) Destruction of customer records. Customer records shall be disposed of by the most advantageous method available at each location when retention of the records is no longer required by applicable Federal Communications Commission (FCC) regulations, other legal requirements, contract provisions such as government contract requirements or appropriate document retention guidelines.
(6) Recording use and disclosure of customer information. Because of the frequency with which customer information is used and disclosed in the ordinary course of business, it is neither practical nor desirable to record each instance in which customer information is used or disclosed by an employee, agent or independent contractor. However, the importance of some forms of customer information and the circumstances under which the information may be used or disclosed dictate that a record is required of the use or disclosure of customer information, as follows:
(i) Each instance in which customer information is used or disclosed for purposes other than to furnish service to the customer, to collect charges due from the customer or to accomplish other ordinary and legitimate business purposes.
(ii) Each instance in which information is disclosed to persons outside of the telecommunications company, subject to subparagraph (i).
(iii) Each instance in which customer information is disclosed to a governmental entity or the telecommunications company security department.
(iv) Each instance in which a record is required by other telecommunications company practices or procedures.
(7) Annual notice of Customer Proprietary Network Information (CPNI) rights. The telecommunications company shall provide an annual written notice of CPNI rights, as defined by the FCC, to customers with less than 20 access lines. The notice shall be submitted to the Commissions Bureau of Consumer Services for plain language review prior to issuance.
Authority The provisions of this § 63.135 amended under 66 Pa.C.S. § 3019(b)(2) and (3).
Source The provisions of this § 63.135 amended August 12, 2022, effective August 13, 2022, 52 Pa.B. 5049. Immediately preceding text appears at serial pages (332468) to (332469), (232285) to (232286) and (361655).
Cross References This section cited in 52 Pa. Code § 63.143 (relating to code of conduct).
No part of the information on this site may be reproduced for profit or sold for profit.
This material has been drawn directly from the official Pennsylvania Code full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.