COLLECTING, STORING AND USING PERSONAL INFORMATION IN A CONDOMINIUM
The Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (“PIPEDA”), is a privacy legislation enacted by the federal government for purposes of protecting personal information collected, used or disclosed in certain circumstances. It also governs the use of electronic means to communicate or record information or transactions.
PIPEDA applies to all private organizations regarding personal information that the organization collects, uses or discloses in the source of commercial activities. There is uncertainty about whether a condominium corporation would be found to engage in commercial activities. A "commercial activity" means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character.
The main obligation under PIPEDA is not to disclose any personal information collected except for proper purposes of the organization and without the appropriate informed consent of the person whose information it is.
What is personal information?
Personal information is information about an “identifiable individual”. There are two broad categories of personal information covered by PIPEDA:
a. Information collected, used or disclosed by any organization in the course of commercial activities; and
b. Employee information collected, used or disclosed in connection with the operation of a federal work, undertaking or business.
PIPEDA could conceivably apply to any information about an individual that a condominium might collect, subject to some exceptions:
- Where consent is obtained from the individual to collect and use the information;
- Where the information is available to the public;
- The information is used in an emergency affecting the individual;
- The person gives their consent either implied or directly; or
- Where the information is permitted by other statutes to be released under specified circumstances.
What can be done with personal information?
For the most part, information collected such as names, addresses, and telephone numbers, would not require the consent of unit owners for general use as long as it is related to the operation of the condominium. General use would include notices of owners meetings, notices of liens, and information in a Status Certificate. In contrast, information such as unlisted telephone numbers, or banking information would require consent to be used.
To release personal information to another organization, the condominium must obtain consent of the owner except in a few circumstances, when the information is:
- given to a lawyer representing the corporation;
- used to collect a debt;
- used to comply with a subpoena;
- a part of disclosure given as a result of a legal investigation;
- contained in a public directory; or
- used after it is either 100 years since the record was created, or 20 years since the death of the individual.
Storing the Information
How a condominium stores this information is just as important as how it uses it. There is no single proper procedure for safeguarding Personal Information, but the following should be considered:
- storing information in locked cabinets;
- segregating Personal Information from general business information;
- proper computer security to prevent unauthorized access;
- computer files should be backed up;
- information must never be left where cleaning staff, or a passersby can see;
- information should never be given over the phone until the identity of the caller has been identified;
- all staff should be trained in respect of privacy policies;
- each unit should be assigned its own file;
- minutes of board meetings should be drafted so as to not include Personal Information (for example, financial difficulty of an owner);
This list is by no means exhaustive, but should be used as a starting point for complying with privacy laws.
Responding to Curious Owners
It is clear from section 55 of the Condominium Act, 1998, (the “Act”) that owners cannot:
- review the content of other unit files unless authorized to do so in writing by the owner of that unit;
- review files related to ongoing litigation or insurance claims; and
- review employee records, other than the employment contract.
This means that corporations will have to be cautious when allowing individual unit owners to access records if there is a chance they may obtain Personal Information relating to other owners.
It is imperative that Personal Information of an owner is kept in their own unit file. There should also be a separate file for each litigation or insurance claim. Documents should be looked over before they are shown to an owner to make sure they don’t contain personal information of other owners.
A proper procedure would be to have the individual asking for records fill out a standard form including a statement as to why they are requesting the information. The form should also make it clear that the owner agrees that the information:
- will only be used for matters relating to the corporation;
- will not be distributed to anyone outside of the corporation; and
- will not be used for personal gain.
Privacy Policies and Privacy Officers
PIPEDA requires that a corporation:
I. the kind and limits of information collected;
II. how and for what purposes such information is used; and
Does PIPEDA apply to Condominiums?
It is highly unlikely PIPEDA will be found to apply to residential condominium corporations. Residential Condominiums that do not sell information, goods or services for profit, are not involved in commercial activities. PIPEDA was enacted in 2000, and there is yet to be a court case involving a residential condominium corporation.
Although it appears that PIPEDA would not apply to a residential Condominium corporation, it is clear that it does apply to Condominium Management companies that collect, use and disclose personal information about residents during their ‘commercial activities’. Condominium Management companies would be considered to be performing commercial activities when they are handling the financial affairs, or performing other jobs for the corporation.
PIPEDA case #2006-342 makes it clear that the legislation applies to a landlord, as they are engaged in a commercial activity. Even though the landlord was subject to PIPEDA in this case, the privacy commissioner found that the ‘summary of lease or renewal form’ which discloses personal information of the tenant still had to be filled out by the landlord because it is required by law.
PIPEDA case #2006-343 followed the same logic and stated that a landlord could provide personal information about a tenant to an insurance company, as the insurance company’s purpose for obtaining this information was reasonable.
Although it does not appear that PIPEDA applies to residential condominium corporations it would be wise, for cautions sake, to enforce privacy policies in line with PIPEDA’s principles. This would diminish any risk of contravening the relevant sections of the Condominium Act, and would ensure compliance with PIPEDA in the event this legislation was ever found to apply to your condominium corporation.
Real Estate Law Contacts: