Current through Register Vol. 47, No. 22, November 25, 2024
Section 4 CCR 723-1-1105 - Personal Information - Disclosure(a) A utility may only disclose personal information as permitted by Commission rule or as compelled by state or federal law.(b) Requests to disclose personal information must specify the identity of the requestor, the electronic or mail address to which requested information is to be delivered, and the authority or authorization for the request. With the exception of requests pursuant to paragraph 1105(c) or by the consumer requesting a copy of his or her personal information as permitted in paragraph 1104(b), all requests must be in writing. Written requests must be on official letterhead or from an official e-mail address. Permitted disclosure of personal information may be provided in response to a telephone request; however, the employee of the regulated entity must first verify the caller's identity by returning the call using a telephone number verified independently of the caller, including without limitation, prior experience of the authorized representative. Permitted disclosure of personal information may also be provided in person; however, the person requesting information in person must demonstrate to the regulated entity that he or she is authorized to request the personal information.(c) A utility may disclose information regarding monthly gas, steam, and electric customer charges and general usage for up to thirty-six months (at no more granular level than monthly totals), payment history, past due amounts, pending deposits, current shut-off due dates or disconnection, current life support status, payment arrangements, history of energy assistance payments, number of heating degree days, and other specifically requested information in response to requests from Energy Outreach Colorado (EOC), the Low-Income Energy Assistance Program (LEAP), the Weatherization Assistance Program (WAP) and any other affiliated agencies using the information to provide energy assistance and programs to Colorado customers, provided that EOC, LEAP, WAP, and any other affiliated agencies receiving information pursuant to this rule have included as part of their application process notice to the applicant for assistance that his or her utility may disclose certain information including a notice to the customer of all personal information that is or may be requested, to facilitate the energy assistance and program application process.(d) A regulated entity may disclose personal information to a contracted agent to assist in the provision of regulated services, provided, however, that the contract contains the following minimum requirements:(I) The contracted agent shall implement and maintain reasonable data security procedures and practices appropriate to the private nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. These data security procedures and practices shall be equal to or greater than the data privacy and security policies and procedures used by the regulated entity internally to protect personal information.(II) The contracted agent shall use personal information only for the purpose of fulfilling the terms of the contract. The use of personal information for a secondary commercial purpose not related to the purpose of the contract without the regulated entity first obtaining the customer's consent is prohibited.(III) The contracted agent shall destroy or return to the regulated entity all personal information that is no longer necessary for the purpose for which it was transferred.(IV) The contracted agent shall execute a non-disclosure agreement with the regulated entity.(V) In the event a contracted agent uses, maintains, or otherwise distributes personal information in a way that would violate Commission rule if done directly by a regulated entity, such use, maintenance, or distribution shall be considered a violation of these rules by the regulated entity that disclosed the person information to the contracted agent.(e) The regulated entity shall maintain records of the disclosure of personal information to the contracted agent for a minimum of three years. Such records shall include all contracts with the contracted agent and executed non-disclosure agreements.38 CR 02, January 25, 2015, effective 2/14/201538 CR 20, October 25, 2015, effective 11/14/201543 CR 13, July 10, 2020, effective 7/30/202045 CR 07, April 10, 2022, effective 4/30/2022