Privacy Policy

Summary. PEA must protect data that contains sensitive information as it pertains to staff, business partners, and customers in accordance with regulations, requirements, and all pertaining laws. PEA will maintain internal controls on, and accessibility of, digitally stored documents, data, and devices as required by law.
Scope. Municipal authorities must comply with the State Ethics Act, which includes provisions related to the use of IT resources to prevent conflicts of interest and ensure ethical conduct in the digital realm (65 Pa.C.S. § 1101 et seq) OR (see the Code of Ethics Policy).
Policy. Authorities must implement IT systems that comply with record retention policies, ensuring that electronic records are maintained and retrievable in accordance with legal requirements (see Records Retention Policy). PEA staff should always practice mindful data sharing methods and secure their data to the best of their abilities, as advised by our contracted IT partner.
All IT requests should go through the Operations team and PEA’s IT provider. All PEA issued devices are subject to search and seizure by PEA management, and by federal officials if legally applicable (see the Network and Electronic Resources Policy in PEA’s Employee Handbook).
References.
PA Public Officials and Employee Ethics Act, 65 Pa. C.S. §§ 110523, 2 CFR 200.303(a), (e)24
3.1 Cybersecurity
Policy: It is the responsibility of all PEA staff, partners, and vendors to take all reasonable and necessary cybersecurity measures. PEA staff must abide by all established risk management protocols and maintain secure IT systems, up to and including password protection and virus prevention software.
Procedure: As part of cybersecurity competency, all PEA employees must complete a cybersecurity training within 30 days of hire. Attestations of completion must be kept on file for reference. Staff are encouraged to undertake refresher trainings no less than once a year.

3.2 Data Management
Policy: PEA must maintain files using encrypted and password protected virtual file storage and file sharing platform(s). Employees shall refrain from sharing sensitive and protected data over insecure platforms. The following additional requirements may apply depending on the class of data being managed:
• Municipal authorities under contract(s) that involve managing, storing, or processing federal information, must comply with FISMA standards to protect related data and systems (44 U.S.C. § 355124 et seq).
• In any case where the Philadelphia Energy Authority as a municipal authority handles protected health information (PHI), it must implement all necessary cybersecurity measures to comply with HIPAA’s Privacy and Security Rules (45 C.F.R. Parts 16025 and 16426).
• In any case where the Philadelphia Energy Authority as a municipal authority provides financial services, the organization must protect sensitive financial data (15 U.S.C. §§ 6801–680927).
Procedure: Upon separation from the organization, all permissions, logins, and access to organization data is to be revoked on the date of departure. Any shared logins stored on secure password management platforms are to be changed as soon as logistically possible and no later than 24 hours following departure (see Off-Boarding Policy in the HR Manual). It is the responsibility of the Operations team and the former employee’s direct supervisor to remove the individual from all shared documents and official accounts.
References: 44 U.S.C. § 355125, 45 CFR 16026, 45 CFR 16427, 15 U.S.C. §§ 6801–680928, PEA Employee Handbook Confidentiality and Proprietary Information Policy29

3.3 Third-Party Data Sharing
Policy: Municipal authorities are required to provide public access to records, including electronic records, under the Pennsylvania Right-to-Know Law (see Right to Know Policy). Pursuant to Right to Know Laws, data may be provided to external parties following formal requests for information. PEA must take all reasonable measures to ensure data security and confidentiality, as required by law and best practices, for any data released in response to such information requests.
All third-party software utilized by PEA must meet minimum standards for security, pursuant to the above requirements, including password protection and/or data encryption. Access to internal documents must be managed, tracked, and restricted as far as reasonably necessary to maintain security standards.
Procedure: When collaborating with external stakeholders, all reasonable care must be taken to ensure that stakeholder data management meets an equivalent level of data security before sharing data. When a contracted external partner would have access to sensitive/protected information in the normal course of contract fulfillment, it is recommended that the third party be required to take all reasonable and necessary efforts to ensure data security as part of the contract agreement.
Permissions provided to external entities to view, edit, download, or otherwise modify organization data must be communicated and approved by department supervisors when not otherwise covered in the normal execution of the vendor/stakeholder contract. Permissions are to be revoked as soon as the collaboration on the project in question concludes. A log of external parties with access to the internal documents and data is strongly recommended.

3.4 Incident Policy
Policy: Incidents, e.g. compromised passwords, data breaches or lost/stolen devices, are to be reported and addressed as soon as reasonably practicable. It is the responsibility of every PEA employee to be vigilant with regard to IT incidents.
All suspected incidents are to be reported to the department supervisor, the Operations team, and PEA’s IT provider immediately upon discovery. Following a verified data breach, PEA will conduct a discovery process to both assess the scope of the breach and inform the implementation of additional security measures as necessary to preempt similar breaches in future.
References: 65 P.S. § 67.101 et seq.30, 2 CFR 200.33431, PA Public Officials and Employee Ethics Act, 65 Pa. C.S. §§ 1101-111332, Google Cloud – Encryption in Transit33, Google Cloud – Encryption at Rest34