Privacy Policy
  Terms and Conditions

Effective Date: Jan 31, 2013




The Policy applies to activities that involve the use of the City's information assets, namely, the Information of persons doing business with the City or receiving services from the City, which are owned by, or entrusted to, the City and will be made available to the City's employees and third party contractors under contract to the City to provide Software as a Service consulting services. These activities include, without limitation, accessing the Internet, using e-mail, accessing the City's intranet or other networks, systems, or devices.


The term "information assets" also includes the personal information of the City's employees and any other related organizations while those assets are under the City's control. Security measures will be designed, implemented, and maintained to ensure that only authorized persons will enjoy access to the information assets. The City's staff will act to protect its information assets from theft, damage, loss, compromise, and inappropriate disclosure or alteration. The City will plan, design, implement and maintain information management systems, networks and processes in order to assure the appropriate confidentiality, integrity, and availability of its information assets to the City's employees and authorized third parties.




Except as permitted or provided by applicable laws, the City will not share the Information of any person doing business with the City, or receiving services from the City, in violation of this Policy, unless that person has consented to the City's sharing of such information during the conduct of the City's business as a local government agency with third parties under contract to the City to provide services.




The City may gather the Information from a variety of sources and resources, provided that the collection of such information is both necessary and appropriate in order for the City to conduct business as a local government agency in its governmental and proprietary capacities. That information may be gathered at service windows and contact centers as well as at web sites, by mobile applications, and with other technologies, wherever the City may interact with persons who need to share such formation in order to secure the City's services.


The City's staff will inform the persons whose Information are covered by this Policy that the City's web site may use "cookies" to customize the browsing experience with the City of Palo Alto web site. The City will note that a cookie contains unique information that a web site can use to track, among others, the Internet Protocol address of the computer used to access the City's web sites, the identification of the browser software and operating systems used, the date and time a user accessed the site, and the Internet address of the website from which the user linked to the City's web sites. Cookies created on the user's computer by using the City's web site do not contain the Information, and thus do not compromise the user's privacy or security. Users can refuse the cookies or delete the cookie files from their computers by using any of the widely available methods. If the user chooses not to accept a cookie on his or her computer, it will not prevent or prohibit the user from gaining access to or using the City's sites.




In the provision of utility services to persons located within Palo Alto, the City of Palo Alto Utilities Department ("CPAU") will collect the Information in order to initiate and manage utility services to customers. To the extent the management of that information is not specifically addressed in the Utilities Rules and Regulations or other ordinances, rules, regulations or procedures, this Policy will apply; provided, however, any such Rules and Regulations must conform to this Policy, unless otherwise directed or approved by the Council. This includes the sharing of CPAU-collected Information with other City departments except as may be required by law.


Businesses and residents with standard utility meters and/or having non-metered monthly services will have secure access through a CPAU website to their Information, including, without limitation, their monthly utility usage and billing data. In addition to their regular monthly utilities billing, businesses and residents with non-standard or experimental electric, water or natural gas meters may have their usage and/or billing data provided to them through non-City electronic portals at different intervals than with the standard monthly billing.


Businesses and residents with such non-standard or experimental metering will have their Information covered by the same privacy protections and personal information exchange rules applicable to Information under applicable federal and California laws.





The Information that is collected by the City in the ordinary course and scope of conducting its business could be incorporated in a public record that may be subject to inspection and copying by the public, unless such information is exempt from disclosure to the public by California law.




The City will take reasonable steps to verify a person's identity before the City will grant anyone online access to that person's Information. Each City department that collects Information will afford access to affected persons who can review and update that information at reasonable times.




Except as otherwise provided by applicable law or this Policy, the City will treat the Information of persons covered by this Policy as confidential and will not disclose it, or permit it to be disclosed, to third parties without the express written consent of the person affected. The City will develop and maintain reasonable controls that are designed to protect the confidentiality and security of the Information of persons covered by this Policy.


The City may authorize the City's employee and or third party contractors to access and/or use the Information of persons who do business with the City or receive services from the City. In those instances, the City will require the City's employee and/or the third party contractors to agree to use such Information only in furtherance of City-related business and in accordance with the Policy.


If the City becomes aware of a breach, or has reasonable grounds to believe that a security breach has occurred, with respect to the Information of a person, the City will notify the affected person of such breach in accordance with applicable laws. The notice of breach will include the date(s) or estimated date(s) of the known or suspected breach, the nature of the Information that is the subject of the breach, and the proposed action to be taken or the responsive action taken by the City.




The City will store and secure all Information for a period of time as may be required by law, or if no period is established by law, for seven (7) years, and thereafter such information will be scheduled for destruction.




The City may engage third party contractors and vendors to provide software application and database services, commonly known as Software-as-a-Service (SaaS).


In order to assure the privacy and security of the Information of those who do business with the City and those who received services from the City, as a condition of selling goods and/or services to the City, the SaaS services provider and its subcontractors, if any, including any IT infrastructure services provider, shall design, install, provide, and maintain a secure IT environment, while it performs such services and/or furnishes goods to the City, to the extent any scope of work or services implicates the confidentiality and privacy of the Information.


These requirements include information security directives pertaining to: (a) the IT infrastructure, by which the services are provided to the City, including connection to the City's IT systems; (b) the SaaS services provider's operations and maintenance processes needed to support the IT environment, including disaster recovery and business continuity planning; and (c) the IT infrastructure performance monitoring services to ensure a secure and reliable environment and service availability to the City. The term "IT infrastructure" refers to the integrated framework, including, without limitation, data centers, computers, and database management devices, upon which digital networks operate.


Prior to entering into an agreement to provide services to the City, the City's staff will require the SaaS services provider to complete and submit an Information Security and Privacy Questionnaire. In the event that the SaaS services provider reasonably determines that it cannot fulfill the information security requirements during the course of providing services, the City will require the SaaS services provider to promptly inform the ISM.




CPAU will require utility customers to provide their Information in order for the City to initiate and manage utility services to them.


Federal regulations, implementing the Fair and Accurate Credit Transactions Act of 2003 (Public Law 108-159), including the Red Flag Rules , require that CPAU, as a "covered financial institution or creditor" which provides services in advance of payment and which can affect consumer credit, develop and implement procedures for an identity theft program for new and existing accounts to detect, prevent, respond and mitigate potential identity theft of its customers' Information.


CPAU procedures for potential identity theft will be reviewed independently by the ISM annually or whenever significant changes to security implementation have occurred. The ISM will recommend changes to CPAU identity theft procedures, or as appropriate, so as to conform to this Policy.


There are California laws which are applicable to identity theft; they are set forth in California Civil Code § 1798.92.




Contact Us

If you have any questions about this privacy policy statement, the practices of this website, or your dealings with this website, you can contact:


City of Palo Alto Utilities

Customer Services

250 Hamilton Ave

Palo Alto, CA 94301


Telephone: (650) 329-2161