Privacy: How the Personal Information Protection Act Applies to Strata Corporations
The Personal Information Protection Act (“PIPA”) came into force on January 1, 2004. PIPA requires organizations in British Columbia to have a proper system for the collection, use, disclosure and protection of personal information. The statutory definition of organization by creating a list of bodies which are excluded from the definition. The strata corporation does not fall into any of the categories excluded from the statutory definition of organization and is subject to PIPA.
What is Personal Information?
PIPA defines personal information as “information about an identifiable individual”. This definition is broad and can include name, date of birth, phone number, email address, driver’s licence information, financial information, medical information and images (such as photos or videos of an individua) but does not include contact information.
PIPA and Strata Corporations
Generally, PIPA gives individuals the right to:
- know the purpose for a strata corporation’s collection, use or disclosure of their personal information;
- expect a strata corporation to collect, use or disclose personal information for purposes that are reasonable and appropriate;
- consent to collection, use or disclosure of their personal information;
- know who in the strata corporation is responsible for protecting personal information;
- expect a strata corporation to protect personal information by taking appropriate security measures;
- expect that the personal information a strata corporation uses is accurate;
- request access to their personal information held by the strata corporation;
- request that their personal information be corrected; and
- have the strata corporation respond to complaints about how it handles personal information.
Generally, PIPA requires a strata corporation to:
- designate someone to be accountable on the strata corporation’s behalf for its compliance with PIPA;
- obtain the consent of owners and tenants before it collects, uses or discloses personal information (except in specified circumstances where PIPA does not require consent);
- tell individuals, upon request, why personal information is being collected, how it is being used and to whom it has been disclosed;
- take reasonable steps to ensure that the personal information it collects is accurate and secure;
- respond to requests for personal information completely and promptly;
- have personal information policies that are understandable and readily available; and
- securely destroy, erase or make anonymous personal information where a strata corporation no longer needs the information for the purpose for which it was collected and retention is no longer necessary for legal or business purposes.
Appointing a Privacy Officer and PIPA Compliance
PIPA requires the appointment of one or more individuals to be responsible for the strata corporation’s compliance with PIPA. The privacy officer’s role usually includes the following responsibilities:
- obtaining privacy training
- maintaining an inventory of what personal information the strata corporation routinely collects, uses and discloses
- ensuring privacy policy and procedures are documented and followed
- conducting risk assessments and evaluating the strata corporation’s security safeguards for protecting personal information
- establishing, and reviewing on a regular basis, personal information security safeguards, storage and retention policies and procedures, and breach and incident management response protocols;
- ensuring that any third parties such as legal counsel, property management companies, or other service providers are keeping personal information they receive from the strata corporation secure; for example, through contractual requirements and audits by the strata corporation;
- responding to requests for access to personal information under PIPA; and
- responding to complaints under PIPA.
The privacy officer’s contact information must be provided to any individual who has questions about how the strata complies with PIPA.
Collecting Personal Information
Under PIPA, an organization can be authorized to collection information with or without consent.
Collecting Personal Information with Consent
There are two types of consent: express consent and implied consent.
Express consent means that the individual specifically consents either orally or in writing to the strata corporation collecting their personal information for specific purposes.
Implied consent means an individual is deemed to have given consent if that individual voluntarily gives their personal information to the strata corporation for a purpose that would be obvious to a reasonable person.
Collecting Personal Information without Consent
The law can authorize or require a strata corporation to collect personal information about an individual without their consent. For example, under the Strata Property Act, strata corporations are authorized to collect the personal information of individuals to create records, such as meeting minutes or lists of owners and tenants.
A properly registered strata bylaw can also authorize a strata corporation to collect, use and disclose personal information without consent of the individual. Such a bylaw must identify the purpose of the collection, use and disclosure of the personal information. For example, a strata corporation may have a properly registered bylaw requiring the collection and use of personal information so that the strata council can properly manage the strata corporation, such as banking or credit card information to allow pre-authorized payments to pay strata fees.
Other circumstances where a strata corporation can collect, use and disclose personal information without consent of the person include:
- the collection of information is in the interests of the individual and consent cannot be obtained in a timely manner, for example in an emergency situation
- it is reasonable to expect that collection of the information with the consent of the individual would compromise the availability or the accuracy of the personal information, and the collection is reasonable for an investigation or proceeding, for example, in the process of investigating a bylaw infraction where consent would compromise the availability or accuracy of the information
- the information is necessary to facilitate the collection of a debt or a payment of a debt owed to the strata corporation
- the personal information is available from a public source listed in the PIPA regulations, such as a telephone directory.
Personal Information Collected, Used and Disclosed by Strata Corporations
The personal information that a strata corporation collects, uses and discloses may be classified into three categories:
- Information required to be collected, used or disclosed under the Strata Property Act
- Information that a strata corporation requires in addition to the information required by the Strata Property Act, and
- Information that is volunteered to a strata corporation.
Personal Information Required by the Strata Property Act
The Strata Property Act requires a strata corporation to collect, use and disclose personal information. These activities required by the Strata Property Act do not require the consent of strata lot owners, tenants or occupants.
Sections 35 and 36 of the Strata Property Act require a strata corporation to collect, use and disclose the following personal information:
- A list of owners and their:
- strata lot addresses,
- mailing addresses if different than the strata lot address,
- strata lot numbers as shown on the strata plan,
- unit entitlement, and
- parking stall and storage locker numbers, if any
- A list of tenants
- A list of council members telephone numbers or some other method by which the council member may be contacted on short notice, as long as that method is not prohibited by bylaw
- Names and addresses of mortgagees who have filed a Mortgagee’s Request for Notification (Form C)—this is only personal information under PIPA if the mortgagee is an individual
- Some of the information included in an Information Certificate (Form B), Certificate of Payment (Form F), Certificate of Lien (Form G), Acknowledgement of Payment (Form H), and Notice of Tenant’s Responsibilities (Form H).
The Strata Property Act requires a strata corporation, upon receiving a request, to provide the above listed personal information to an owner, a tenant who has been assigned a landlord’s right to inspect and obtain copies of documents and a person authorized in writing by an owner or a tenant with a right to inspect.
Personal Information Required by Strata Corporations
The bylaws of a strata corporation may require much greater collection, use and disclosure of personal information from owners, tenants and occupants than is mandated under the Strata Property Act.
Personal information that may be required under strata corporation bylaws includes:
- Names of all persons residing in a strata lot
- Banking or credit card information allowing for pre-authorized payment of strata fees
- Emergency contact information
- Information regarding any pets in a strata lot
- Vehicle identification and vehicle licence numbers
- Insurance particulars, and
- Data collected in surveillance tapes or key fob reader systems
A best practice for strata corporations is to keep the personal information it collects, uses and discloses to a minimum. If personal information, apart from that required by the Strata Property Act, is collected, used and disclosed by the strata corporation, the strata corporation should ensure that proper consent is obtained and that the consent allows for disclosure. The strata corporation should also ensure that the bylaw authorizing the collection, use and disclosure of personal information has a valid purpose.
Personal Information Volunteered to the Strata Corporation
In some circumstances, individuals may volunteer personal information to a strata corporation. Often volunteered personal information is collected by a strata corporation through correspondence and meeting minutes. A strata corporation should carefully consider if it has the consent of the individual volunteering the information to use the information and disclose it to others.
Use and disclosure of personal information
A strata corporation can use and disclose personal information for specific purposes provided two requirements are met:
- it notified the individual of those purposes when the information was collected, and
- the purpose is reasonable.
Thus, a strata corporation must be able to explain the purpose for which it requires personal information to the individual providing that personal information.
Additionally, to use and disclose personal information, the strata must either:
- have the individual’s consent to use or disclose the personal information for the stated purpose, or
- must identify a provision in PIPA that authorizes the use or disclosure of personal information without the individual’s consent.
“Purpose” is interpreted broadly under PIPA and a strata corporation does not need to set out the particular purpose for each piece of personal information it collects. The purposes for which personal information of owners, tenants and occupants is required may be described as follows:
- to identify and communicate with strata lot owners
- to process payments
- to respond to emergencies
- to ensure the orderly management of the strata corporation, and
- to comply with requirements of the Strata Property Act and other legislation.
Disclosing personal information to law enforcement agencies
If a law enforcement agency requests personal information from a strata corporation without a court order, the strata may ask the agency to return with a court order for the information or may choose to disclose the information without a court order. Disclosure of information to a law enforcement agency without a court order is only permitted under PIPA where the disclosure is about an offence, to aid in an investigation or assist in making a decision about whether to investigate a possible offence. As best practice, the strata should record:
- the file number or badge number of the officer requesting the information,
- the information it gave to law enforcement, and
- why it gave the information to law enforcement.
Disclosing personal information to property managers
The strata can disclose personal information to a property manager without the consent of the individual provided that the property manager will only use that information for the purposes it was collected and the information was collected with the individual’s consent.
Retaining & Destroying Personal Information
Under PIPA, if personal information is used to make a decision that directly affects an individual, that information must be kept for at least 1 year.
Under the Strata Property Act and its Regulations, longer retention periods are mandated for certain records which likely contain personal information. Retention periods longer than the 1-year period set out in PIPA must be followed. For example, minutes of AGMs, SGMs and council meetings must be retained for at least 6 years.
PIPA also requires strata corporations to securely destroy personal information when its retention is no longer necessary for the strata corporation’s purposes or required under the Strata Property Act.
Duty to Protect Personal Information from Loss and Other Risks
PIPA requires strata corporations to make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal of any retained personal information. Security measures should reflect the sensitivity of the personal information that has been retained. For example, a higher level of security might be expected for the financial information of owners than a list of pets residing in the strata property.
Requests from individuals for their information
Individuals may make two different types of requests to strata corporations for access to information. Under PIPA, an individual may request their own personal information. Under the Strata Property Act, an individual may request records kept by the strata which may contain their own personal information and the information of other individuals.
If a request is made under PIPA, the strata is only permitted to disclose the individual’s own personal information and not the information of others. However, if a request is made under the Strata Property Act, the strata must disclose the information it is required to by law, potentially including the information of other individuals. A disclosure in accordance with the Strata Property Act is authorized under PIPA because the disclosure is required by the law.
If an individual requesting personal information does not specify if the request is made under PIPA or the Strata Property Act, a best practice is to clarify which law the request is being made under. In the interests of transparency, a strata should tell a requester about the Strata Property Act if the requester is entitled to receive the information under the Strata Property Act but not under PIPA.
Personal Information Collected in Meeting Minutes
Under the Strata Property Act, the strata is required to create and retain minutes of AGMs, SGMs and council meetings, including the results of any votes. A person attending a meeting has provided implied consent to have their name, strata lot number and unit number recorded in the minutes. A strata council member or a guest attending a strata council meeting have provided implied consent to have their name recorded in the strata council minutes.
Best practices for the creation of strata council meeting minutes include:
- Recording all decisions made, but not recording the discussions of personal information or deliberations leading up to the decision.
- Identifying only the strata lot number of an owner or tenant in relation to sensitive matters such as bylaw violations, strata fee debts, or hardship applications
- Ensuring that every statement in the minutes is accurate, objective, verifiable and contains the minimum amount of personal information necessary.
Recordings of strata council or general meetings are likely not authorized under PIPA, unless the strata corporation has passed a bylaw permitting audio or video recording of the meetings.
Surveillance systems
Surveillance systems may include video or audio recordings, key fobs entry systems and other technologies that record or track information about identifiable individuals. A strata corporation should seek to limit the use of cameras and other surveillance equipment if possible. The more sensitive the information collected and the more invasive the method of collection, the less likely that surveillance is reasonable, and therefore authorized, under PIPA.
A strata should identify and record the purpose of surveillance in each area of the property. The strata should be prepared to justify the use of surveillance on the basis of verifiable, specific concern about the personal safety of people living there or about protection of property.
A best practice is for a strata to write a policy about how it will manage personal information created from the surveillance system. This policy should include: identifying who has access to the personal information, how the strata will protect the personal information and for how long the personal information will be kept before it is securely destroyed. The Office of the Information and Privacy Commissioner recommends that video and other recordings be kept for a maximum of 10 days unless they are needed for a longer period because of a specific investigation.
If a strata corporation intends to use a surveillance system, it should pass a resolution amending the bylaws to authorize the use of surveillance for the purposes stated in the bylaw. Under PIPA, a strata is authorized to collect, use and disclose personal information without consent if it is for a reasonable purpose and it is authorized by law, this includes authorized by bylaw. It is recommended that the bylaw concerning surveillance should be as detailed and precise as possible.
An individual has the right under PIPA to request access to any surveillance information the strata has about them. A short retention period for surveillance information is also beneficial in these circumstances because the strata will only have a limited amount of data to review for personal information if it receives such a request.
Privacy Complaints
A strata corporation should be prepared to deal with complaints concerning the improper handling of personal information. The strata corporation should have one person, ideally the privacy officer, appointed to deal with complaints and challenges concerning personal information.
A reasonable effort should be made to resolve the issue central to the complaint. If a complaint or challenge cannot be resolved, the complainant should be advised that they may contact the Office of the Information and Privacy Commissioner.
The Office of Information and Privacy Commissioner has the power to conduct investigations and audits and to issue orders. A breach of PIPA could result in a complainant seeking a damages award before the BC Supreme Court or the Civil Resolutions Tribunal.
Takeaways
To aid further understanding of PIPA’s application to strata corporations, the Office of the Information and Privacy Commissioner has published the Privacy Guidelines for Strata Corporations and Strata Agents (updated in May 2022).