Utility Privacy Policy
Contents
III. Customer Personal Information Collected by the Utility
V. How the Utility Uses and Safeguards Customer Personal Information
VII. Disclosures Required by Law
VIII. Disclosures for Marketing
I. Privacy Policy
A. Introduction. The Utility values the trust of the customers we serve. We recognize that to maintain that trust, we must safeguard the personal and private customer information we obtain and use for our utility operations.
B. Scope. This Privacy Policy establishes the administrative and procedural guidance the Utility will follow in our use of personal and private customer information. This Privacy Policy applies to all Utility officers, managers, employees, vendors, and other contract personnel with access to Customer Personal Information.
C. Statement of Policy. The Utility shall use reasonable means necessary to ensure that:
-
-
- Customer Personal Information is kept confidential as outlined;
- That Customer Personal Information is accessed only by those Utility Employees and Affiliates who have a legitimate business need connected to the provision of Utility services to Customers, for such information;
- That prior consent is obtained before any Customer Personal Information is released to a Third Party for any purposes other than those required for legitimate business purposes;
- That appropriate safeguards be implemented to protect the privacy of Customer Personal Information.
-
D. Policy Changes. The Utility may change and/or update this policy as needed. We encourage our Customers to regularly review this Privacy Policy whenever they visit our website to stay familiar with the most current version.
II. Definitions
Affiliates: “Affiliate” means an entity, vendor, service provider, contractor, independent contractor, or person performing a function or service for, with, or on behalf of the Utility related to providing reliable utility service.
Aggregated Data: “Aggregated Data” means data or information regarding customer utility usage or other customer related information where Personal Identifying Information has been removed and the information is collected or combined (aggregated) with a sufficiently large group of Customers that it is highly improbable that a person receiving such information could deduce the identities and/or electricity usage habits of individual customers.
Customer: “Customer” means a current or former customer of the Utility.
Customer Consent. “Customer Consent” is defined and discussed in Section VIII.
Customer Personal Information (or Personal Information): “Customer Personal Information” means “Personal Usage and Billing Information” and/or “Personally Identifying Information” as those terms are defined below. Information we collect that does not reveal details, patterns, or other insights in to the customer’s identity, personal life, or activities will not be considered Customer Personal Information.
Personal Usage and Billing Information: “Personal Usage and Billing Information” is (1) data or information collected, received, and/or stored by the Utility that relates to the source, technical configuration, destination, and amount of a utility service, either electricity or water, used by a utility retail customer, (2) a Utility Customer’s payment history, (3) household data that is made available by the Customer solely by virtue of the Utility Customer’s relationship with the Utility, and (4) information contained in a utility retail Customer’s bill.
“Personal Usage and Billing Information” includes Proprietary Customer Information as that term is defined by state law in RCW 19.29A.010.
Personally Identifying Information or PII: “Personally Identifying Information” or “PII” means information that can be used to distinguish, reveal, or trace an individual’s identity that is linked or linkable to a specific individual, and consists of:
-
-
- Names
- Street and/or mailing addresses
- Telephone or fax numbers
- E-mail addresses
- Birthdates
- Social Security Numbers
- Driver’s License Numbers
- Washington identification card number
- Account numbers, credit or debit card numbers, security access code or password or other numbers that would allow access to an individual’s financial accounts or financial information.
- Information received as part of a credit check process consisting of unique personal identifying information related to finances.
- Student, military, or passport id number
- Biometric data including fingerprints, voiceprints, or other unique biological patterns or characteristics used to identify an individual
- Any other unique identifying number, characteristic, or code.
-
“Personally Identifying Information” includes Private Customer Information as that term is defined by state law in RCW 19.29A.010. As used in this Privacy Policy, Personally Identifying Information does not include personal information the Utility collects in its capacity as an employer which is addressed under separate policies.
Privacy Officer: The Utility will identify an officer or employee to be responsible for implementing and reviewing Utility privacy procedures. The Privacy Officer shall have primary responsibility for overseeing the implementation and improvement of the Privacy Policy.
Privacy Policy: “Privacy Policy” means this policy.
Public Information: “Public Information” includes any non-privileged, non-Personally Identifying Information, or non-Customer Personal Information prepared, owned, used, or retained by the Utility that is required to be disclosed, intended to be made available to the public.
Third Party: “Third Party” means a person, organization or entity authorized by a Customer to receive Customer Personal Information, as outlined in this Privacy Policy.
Utility: “Utility” collectively refers to the City of Tacoma, Department of Public Utilities, Light Division (Tacoma Power) and Water Division (Tacoma Water).
III. Customer Personal Information Collected by the Utility
The Utility may request and collect Customer Personal Information under a number of circumstances related to its utility operations. Please reference Appendix A which is provided as an attempt to provide you with a reasonably complete list of the information the Utility may collect in relation to its operations, programs, and services.
IV. Customer Rights
A. Customer Privacy. Except as provided in Sections VI and VII below, the Utility shall not disclose any Customer Personal Information to any person or entity without the Customer’s prior consent or approval.
B. List of the Customer Personal Information the Utility Collects. The Utility shall make available to Customers a summary or listing of the types of Customer Personal Information that is collected by regularly updating Appendix A of this Privacy Policy. This summary or listing shall be updated at regular intervals to reflect changes in technology or Customer Personal Information collection practices.
C. Customer Right to Review and Correct Customer Personal Information. The Utility provides opportunities for customers to review and correct/update their Customer Personal Information. If Customers have registered for an online account, Customers may access and edit the Customer Personal Information by accessing their online customer account on the site. Otherwise, Utility Customers may request to review and correct their Customer Personal Information at any time by contacting Tacoma Public Utilities’ Customer Service Division by telephone at (253) 502-8600 or by email at cservice@cityoftacoma.org or in person at 3628 South 35th Street, Tacoma WA 98409. Due to the confidentiality of certain Customer Personal Information, certain updates may be required to be made in person.
If a Customer has an Advanced Meter, the Utility will make billing interval meter data available to the customer on the Utilities online portal after it has been collected and verified.
D. Customer Right to Share or Disclose Customer Personal Information. In addition to this Policy, requests and disclosure practices involving customer account information are governed by TPU’s Customer Services Policies (Section 4.2.9). Except as set forth in this Privacy Policy, Customer Personal Information (such as account information) is ordinarily shared only with the person or persons listed on the account.
Customers have the option to share their own Customer Personal Information (Personal Usage and Billing Information) with third parties (e.g. service providers that facilitate compatible devices, technologies, and appliances that augment the visibility, understanding, and control of electricity consumption.) The Utility shall implement procedures for allowing Customers to share such information when administratively practical, including electronic copies of their Customer Personal Information.
Whenever a Customer requests their Customer Personal Information (Personal Usage and Billing Information) be provided to a Third Party, whether electronically or in writing, the Utility may require that the Customer document acknowledgement that the Customer is solely responsible for the information that they disclose to a Third Party and that the Utility is not responsible for any use the Third Party makes of such information.
V. How the Utility Uses and Safeguards Customer Personal Information
A. Utility Use of Customer Personal Information. Generally, the Utility uses Customer Personal Information to authenticate and administer customer accounts and information and manage and improve our services and business operations. Appendix A provides specific examples of how the Utility collects and uses Customer Personal Information.
The Utility may release Customer Personal Information without prior Customer consent when necessary to perform and protect lawful utility business functions. The Utility reserves the right to disclose or share Customer Personal Information with third parties as needed (1) to initiate and render utility services; (2) to bill and collect funds owing to the Utility; (3) to protect the Utility, our customers, or the public from fraudulent, abusive, or unlawful use of our services or websites; (4) to comply with legal processes or applicable law; (5) to respond to any claims; or (6) to protect the rights, property, or safety of the Utility, our employees, our customers, or the public.
B. Safeguards Related to Utility Use of Customer Personal Information. The Utility has implemented appropriate administrative, physical, technical and logical safeguards to protect the confidentiality, integrity, and availability of the Customer Personal Information we collect. These safeguards are designed to prevent loss, theft, misuse, unauthorized access, disclosure, alteration or destruction of Customer Personal Information. Further, the Utility has implemented measures to restrict access to Customer Personal Information to only those authorized employees who have a specific need to know such information.
For example, our customer information system has access controls designed to ensure that only those Utility employees who have a business need to work with Customer Personal Information will have access to it, and they will have only the limited amount of access that they need to perform their jobs. Social Security numbers are used within a secure environment, and the Utility has in place a federally required identity theft prevention program. When we request sensitive information (such as credit card number and/or social security number) on the website, we use encryption to protect it from unauthorized access while in transit.
Finally, we do not sell the Personal Usage and Billing Information of our Customers and, pursuant to this Privacy Policy, we will not sell that information for marketing purposes without express Customer consent as outlined in Section VI or otherwise. As allowed in RCW 19.29A.100, we may insert marketing information into our retail electrical customer billing packages.
C. Disclaimer. Despite our security safeguards, however, we cannot guarantee that Customer Personal Information will be protected from interception, misappropriation, misuse or alteration, or that it will not be disclosed or accessed by accidental circumstances or by unauthorized actions. We are required by law to notify customers if we become aware of a security breach that has the potential to affect Customer Personal Information (See RCW 42.56.590).
VI. Procedures and Safeguards Related to Utility Disclosure of Customer Personal Information to Affiliates for Utility Operations
A. Aggregated Data. The Utility may disclose Aggregated Data (as Defined in Section I above) to manage, provide, and improve our services and business operations.
B. Disclosure to Affiliates for Utility Operations. The Utility may disclose Customer Personal Information to Affiliates, without Customer Consent so long as the disclosure is (1) lawful, (2) related to Utility programs, operations, and functions that are necessary to our provision of reliable and cost effective electrical service and (3) there is a written contract signed by the Affiliate that safeguards the disclosed information. Examples of such disclosures are detailed in Appendix A.
C. Safeguards Related to Affiliate Disclosure. In order to ensure that Customer Personal Information is safeguarded when disclosed to Affiliates where Customer Consent is not required, the Utility will complete the following:
-
- Pre-Disclosure Review Procedure. The Utility shall complete the following steps to determine the necessity, scope and timeline of the disclosure when it is determined that a Utility department has a business or operational need to release Customer Personal Information. The department will:
- Determine through appropriate review whether the law authorizes disclosure.
- Identify a business purpose or business need for disclosure of Customer Personal Information.
- Determine the amount or scope of information to be disclosed by questioning the purpose and need of the Affiliate to receive the information they are requesting.
- Determine a specific timeline in which the Customer Personal Information will be used by the Affiliate and a scope that defines the manner in which the information will be used.
- Complete the “Release of Customer Personal Information Agreement Checklist” in Attachment #3. This form must be approved by the Division or Section Manager that intends to disclose the Customer Personal Information only after validating (1) the identified business purpose or need and (2) that the request to disclose is appropriate and needed. Approval is required only for the initial disclosure determination.
- In all cases of the release of Customer Personal Information, execution of a written contract is required with conditions to govern Affiliate use of the information released.
- Pre-Disclosure Review Procedure. The Utility shall complete the following steps to determine the necessity, scope and timeline of the disclosure when it is determined that a Utility department has a business or operational need to release Customer Personal Information. The department will:
-
- Non-Disclosure Obligation. Any Affiliate receiving Customer Personal Information must execute a non-disclosure agreement or a contract that contains non-disclosure requirements. Such non-disclosure agreements or contracts shall include provisions that include consumer data safeguards, such as express prohibitions against: (i) selling the data for any purpose; (ii) using the data for marketing related to secondary purposes (defined below), and (iii) further disclosure to anyone not under a similar contract with the Utility without the permission of the Utility.
Before disclosing any Customer Personal Information to an Affiliate, the Utility shall require the Affiliate to certify in writing that they have read, understand, and will comply with all requirements of this Privacy Policy in the same manner as if they were employees of the Utility. As a precondition to disclosure, all such Affiliates shall sign a non-disclosure agreement that specifically provides that Utility Customers are intended additional beneficiaries of the non-disclosure agreement.
-
- Transmittal of Customer Personal Information to Affiliates. All files and forms of Customer Personal Information we provide to an Affiliate must be sent via secure FTP, encrypted, or by an alternate secured method to protect the information. Email or hard copies should not be used to share Customer Personal Information with Affiliate.
VII. Disclosures Required by Law
To the fullest extent allowable by law, the Utility will comply with all obligations to provide information, including Customer Personal Information to the public, law enforcement, or other agencies as directed by law and/or the courts.
A. Washington State Public Records Act: The Utility is subject to the disclosure requirements of the Washington State Public Records Act of Chapter 42.56 RCW. Per the Public Records Act, the Utility is required to disclose all requested non-exempt records held or used by the Utility. However, the Public Records Act does provide for some exemptions to disclosure. Such exemptions include Customer addresses, contact information, birthdates, social security numbers, credit card and bank information, account information, and utility usage and billing information in increments smaller than a billing cycle. We will take all reasonable efforts as detailed in this policy to safeguard information that is exempt from disclosure.
B. Law Enforcement, Legal Process, and Agency Requests: The Utility shall comply with requests for Customer Personal Information when such information is demanded through valid legal process. Examples of required disclosure of Customer Personal Information include, but are not limited to, requests by (i) local, state and federal law enforcement agencies conducting criminal investigations and made under the Public Records Act or in the form of a subpoena, search warrant, or other court order; (ii) energy and utility regulatory agencies; and/or (iii) state and other government auditors. These requests may require release of Customer Personal Information involving current and/or former customers.
VIII. Disclosures for Marketing
The Utility does not sell Customer Personal Information which includes Personal Usage and Billing Information for any purpose. Further, as described in this Section, the Utility will not disclose or use Customer Personal Information for marketing or product offering purposes without first obtaining Customer Consent. As allowed in RCW 19.29A.100, we may insert marketing information into our retail electrical customer billing packages.
Customer Consent is required for use or disclosure of Customer Personal Information for marketing and/or product offering a Customer does not already subscribe to (see RCW 19.29A.100). Customer Consent is required before the release of Customer Personal Information in response to the following requests:
- From an Affiliate asking for Customer Personal Information for their own marketing purposes
- From Utility staff working with an Affiliate to market a new product or service
- To promote marketing of services and products that are not directly related to the conduct of Utility business operations
Customer Consent. “Customer Consent” means an affirmative act of a Customer consenting to or otherwise permitting the Utility and/or an Affiliate to disclose Customer Personal Information. Such consent may be in writing using a standardized Customer Consent form and/or by accepting the terms and conditions stated on the Utility website or online application forms.
- The Utility will require affirmative Customer Consent for each instance of the release of Customer Personal Information for Marketing Purposes. Attachment #1 to this policy allows for Customers to provide consent. The Utility will keep a record for each instance that the Customer has given written or electronic consent, following applicable records retention guidelines.
Tacoma Public Utilities provides registered online users with the option to decline having their Customer Personal Information used for purposes not directly related to our services at the point where we ask for the Customer Personal Information. Users may decline to receive promotional e-mail from the Utility by clicking on the unsubscribe option button at the bottom of the email they received and entering their email address.
Customer Revocation of Consent. Subject to agreements with Affiliates, a Customer has the right to revoke, at any time, any previously granted authorization to transfer Customer Personal Information to an Affiliate. Such revocation may be in writing using a standardized Customer Consent form and/or by rejecting the terms and conditions stated on the Utility website or in online application forms. Attachment #2 to this policy allows for Customers to revoke consent. Upon receipt of revocation from a Customer, the Utility shall have a reasonable period of time, not to exceed one full billing cycle, to cease further disclosure of that Customer’s Customer Personal Information.
IX. Customer Complaints
A. How to make a complaint about disclosure of Personal Information
The Utility will investigate complaints from Customers whose Customer Personal Information may have been sold or disclosed by the Utility or any of its Affiliates in violation of RCW 19.29A.100.
A customer who wishes to make such a complaint must provide a request for investigation in writing, signed by the customer or by someone with the legal authority to act on the Customer’s behalf. Each such request shall include a short and plain statement of the circumstances and the information he or she believes was disclosed. The written request must be delivered to the Utility located at the following address:
In person:
Customer Service Division
Tacoma Public Utilities
3628 S. 35th Street
Tacoma, WA 98409
Mail-in address:
Tacoma Public Utilities
P.O. Box 11007
Tacoma, WA 98411-0007
B. Customer Complaint Review. Upon receipt of a complaint, the Customer Services Manager, or their designee, shall promptly investigate the complaint, including review of business records and practices pertinent to any disclosure of Customer Personal Information in violation of this Privacy Policy. Upon completing the investigation, a written response will be provided to the Customer. Absent exceptional circumstances, the response will be provided within 30 days of receipt of the complaint.
The customer may subsequently make a request for a discretionary independent hearing using Tacoma Public Utilities’ Appeals Process, which is described in Attachment # 4 to this Privacy Policy.
- Appendix A
-
Information Tacoma Public Utilities Collects and Uses
I. Tacoma Public Utilities may request and collect Customer Personal Information under a number of circumstances related to its utility operations. The list below is not comprehensive but is an attempt to provide you with a reasonably complete list of the information the Utility may collect in relation to its operations, programs, and services:
Utility Account. To establish a utility account, we will require certain PII such as the customer’s name, address, telephone number, birthdate, email address, and identity verification as further detailed below.
Online Account Registration. Account registration also is required to access some features and services on our website. During the registration process, we may ask a customer for a username, password, and other PII in order to verify the customer’s identity, establish customer account(s), promote security, and to provide appropriate access to features. Customer
Online Customer and Energy Service Features / Online Rebate Applications. Customers who use online features or applications for conservation or rebate programs may be asked for their address, account number, location, and other information during the use of some online features or forms.
Identity Theft Prevention Program. As part of our identity theft prevention program required by law, the Utility uses social security numbers or other valid, government issued picture identification to validate the identity of residential customers who open accounts online or over the telephone.
Utility Discount Rate, Energy Assistance, Energy Efficiency and Conservation Programs. The Utility may collect PII to evaluate or process applications for our discount rate and energy assistance programs. PII collected may include information from consumer reporting agencies, information from Customers to verify employment or income, or other customer supplied PII collected as part of the application process.
Affiliates. The Utility contracts with Affiliates to implement some of its energy efficiency and conservation programs. If Customers opt to participate in these programs Affiliates may collect utility Customer contact, demographic, energy use information, and/or other customer information as necessary to provide services related to these programs.
Surveys, Contests and Promotions. The Utility may offer voluntary surveys, contests and other promotions. To participate, Customers may be asked to provide PII including contact information such as name and addresses, and demographic information, such as ZIP codes, age, and income.
Co-Branded Web Pages. The Utility’s website includes certain co-branded pages. A co-branded page provides a link to the website of one of our Affiliates. The linked website may ask for contact, demographic, energy use, and other information from Utility customers.
Smart Meter Data. Advanced Metering Infrastructure (AMI) enables the collection and reporting of granular data about utility usage and demand (“Advanced Meter Data”).
II. Tacoma Public Utilities may use Customer Personal Information in a variety of ways. The list below is not comprehensive but is an attempt to provide you with a reasonably complete list of the ways the Utility may utilize Customer Personal Information in its operations, programs, and services:
- To ensure accurate and timely billing. This includes but is not limited to communicating with Customers about their billings, accounts, energy usage, water usage and payments.
- To provide Customers with products and services they have requested from the Utility.
- To obtain customer satisfaction data.
- To collect outstanding utility charges in the sale, acquisition, merger, or lease of business assets or property, and other transfers of control or management of business operations. Such disclosure may also be needed in the event of insolvency, bankruptcy or receivership proceedings.
- To administer contests or other promotions in which customers are voluntary participants.
- To maintain or operate a safe and reliable electric and water system.
III. Reasons Customer Personal Information that may be disclosed to Affiliates:
- To maintain or operate our safe and reliable electric system or grid operations
- To plan, implement, or evaluate energy use programs, such as energy management, or demand response.
- As part of Low-Income and other discount rate or payment assistance programs, such as to other public agencies for eligibility evaluations;
- In relation to Energy efficiency program validation or administration (such as to Bonneville Power Administration “BPA” (or other regulatory agencies and conservation performance evaluators)
- I furtherance of Utility program education and/or customer participation
- To provide contracted services in relation to the Utility uses specified in above sections
- Attachments
-
Attachment one: Customer Authorization to Release Information
Attachment two: Customer Revocation of Authorization to Release Information
Attachment three: Release of Customer Personal Information Checklist