• Data Privacy Protection

  • It is the policy of Pepco Holdings, Inc., and its affiliates (collectively, "PHI" or the "Company"), in accordance with applicable law, to protect the confidentiality of Personally Identifiable Information that is under the custody of the Company, whether residing within the Company or under control of the Company through a third party.

    What Information Is Covered?

    "Personally Identifiable Information" is defined as any information about an individual maintained by the Company, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. At PHI, individual customer information, including energy usage data, is included within the scope of this policy.

    Individuals whose Personally Identifiable Information is covered by this policy include but are not limited to employees, job applicants, contractors, retirees, customers, shareholders, vendor personnel, and any others whose Personally Identifiable Information is in the custody of the Company.

    In general, Personally Identifiable Information may include any information that:

    • Distinguishes, identifies, or could identify an individual
    • Provides sufficient information to make a determination about a specific aspect of an individual's activities or status; or
    • Is or could be logically linked with or associated with other information about an individual

    Personally Identifiable Information may be collected, processed, and retained only for legitimate PHI business reasons.

    This Policy applies to all Personally Identifiable Information maintained by the Company, electronic or printed, stored on any medium.

    What Is Required?

    Each Business, Support Services or Corporate Services Organization within the Company is required to identify and maintain an inventory of all Personally Identifiable Information residing within its organization or under the control of its organization through a third party (e.g., arrangements whereby PHI information, such as performance appraisals or customer financial data, is stored and processed outside the company).

    Access to this information must be limited to those who require access by reason of their job duties. Procedures must be in place to ensure that those who do have access, including entities outside the Company, are informed of the requirements for safeguarding Personally Identifiable Information.

    Information identified as Personally Identifiable Information is subject to controls to maintain its confidentiality. Appropriate controls, which comply with corporate standards for privacy information, are established by the Business, Support Services or Corporate Services Organization responsible for the information.

    All persons who have access to Personally Identifiable Information are required to carry out their obligations under this policy and to follow the procedures established to protect this information. PHI's Data Privacy Standard provides details on implementing the Data Privacy Protection Policy.

    What Is Prohibited?

    It is wrong to: (i) access, remove, disclose or use Personally Identifiable Information (other than for legitimate Company business and involving only those with a need to know this information) or (ii) assist others in such removal, disclosure or use. This restriction applies during employment with the Company or engagement as a contractor and after the employment or engagement ends.

    The removal, use or disclosure of Personally Identifiable Information (or assisting others in such conduct) is prohibited under: (i) state and federal statutes; (ii) common law and/or (iii) Company policies. A person can have both civil and criminal liability for engaging in prohibited conduct. A good rule to follow is: if you are not sure if certain information is Personally Identifiable Information, treat it as if it is.