Property management company improves privacy policy

PIPEDA Case Summary #2005-301

(Principle 4.1, 4.1.2, 4.1.4, and 4.8)

Complaint

An individual alleged that the property management company for the condominium corporation to which he belonged, did not provide him with information regarding its privacy policy or the name of its designated privacy official, contrary to the provisions of the Personal Information Protection and Electronic Documents Act (the Act).

Summary of Investigation

In February of 2004, the complainant requested a detailed response from the property management company outlining what action and procedures it and the condominium corporation had taken to ensure compliance with the Act. The complainant was told that personal information was protected by management and that the condominium board was in complete compliance. Dissatisfied with this response, the complainant brought his concerns to the Office.

The property management company provided the Office with a copy of a privacy statement dated January 2, 2004. The statement contained a brief overview of the Act, the purposes for which the company and the condominium board collected personal information, what information is collected, and a general statement about the uses of personal information and safeguards. The name of the official responsible for ensuring compliance was also included.

The policy, however, was not immediately delivered to residents as it had to be approved by the condominium board of directors. After it was approved in the spring, an undated policy statement was given to residents. It was virtually the same as the one that was drafted in January except that the privacy officer's name was not included.

Our Office made a number of suggestions to improve the policy. The company needed to state that financial information is being collected, and to address the principles of consent, accuracy, access, and challenging compliance, as required under Schedule 1. The company revised its policy accordingly, and provided residents with a new one in the fall of 2004.

Findings

Issued March 22, 2005

Application: Principle 4.1 states that an organization shall designate an individual who is accountable for the organization's compliance with the principles in Schedule I to the Act; Principle 4.1.2 stipulates that the identity of this individual shall be made known upon request; Principle 4.1.4 further states that an organization shall implement policies and practices to give effect to the principles, including implementing procedures to protect personal information; establishing procedures to receive and respond to complaints and inquiries; and developing information to explain the organization's policies and procedures; and Principle 4.8 states that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

  • It was clear that the initial response the complainant received to his request for information about the policies and procedures put in place by the management company and the condominium board to ensure compliance with the Act was unsatisfactory. The Assistant Commissioner found the statement vague, and noted that it did not provide the name of the person to whom the complainant could address his concerns.
  • The property management company admitted that it did not have a policy in place on January 1, 2004, nor did it have one when the complainant made his request in February 2004. Even when the policy was finally provided to residents in April 2004, it did not contain the name of the designated official responsible for the company's privacy compliance.
  • On the whole, the Assistant Commissioner found that the company was not in compliance with the accountability and openness principles stipulated in Schedule 1 to the Act.
  • However, as a result of the Office's involvement, the company took steps to improve its policy and has distributed a dated policy statement, with the privacy officer's name included, to residents.

As the Assistant Commissioner was satisfied with the actions taken by the company, she concluded that the complaint was resolved.

Date modified: