Throughout Bermuda, there are multiple condominiums and homeowners’ associations (HOAs). This blog post looks at some privacy-related concerns and risks in the operation of homeowners’ associations and how they use personal information. It is intended to help HOAs understand the multiple aspects of protecting the personal information they use and to provide them with now that the Personal Information Protection Act 2016 (PIPA) is in effect.

As an independent public office, the Office of the Privacy Commissioner (PrivCom) is charged with helping members of the public to understand the law, be they organisations or individuals. PrivCom has previously published a detailed Guide to PIPA to help organisations understand their obligations under PIPA, as well as Individuals’ Guide to PIPA to help individuals understand their privacy rights. Small community and non-profit organisations may also find useful the resources in the Advice to Small Business. PrivCom recommends organisations use the Road to PIPA as an instruction manual if they are unsure how to get started.

HOAs are private, legally incorporated non-profit organisations that govern a housing community, collect fees and dues, and set rules for residents. As such, these organisations deal with a variety of personal information. This may present a number of privacy-related concerns, including:

1.      Collection and storage of personal information

HOAs collect and store personal information, such as names, addresses, contact details, emergency contacts, as well as sensitive personal information like marital status, family-related information, information from which the sexual orientation of the residents may be inferred, health-related information. They use financial information about residents such as bank account details, fees and payment history. At times, some HOAs may also collect employment-related information as they may conduct background checks in order to vet potential residents.

Given the multiple ways in which these organisations use personal information, there is a risk of unauthorised access to or disclosure of that information in the absence of internal policies and security safeguards. It is of critical importance for organisations to ensure that the information is stored securely, with appropriate safeguards in place for both physical and digital records. Importantly, the personal information should only be accessed by authorised individuals (that is, role-based access on a need-to-know basis).

HOAs may resort to the use of CCTV, key fob entry systems and intercoms for security purposes. This has implications for residents’ privacy (see our guidance note on CCTV risks and best practices). Improper or excessive use of CCTV and key fob logs may raise concerns about surveillance and potentially lead to violations of residents’ privacy. This is likely to be the case especially when CCTV footage captures private spaces. As with personal information, CCTV footage should only be accessed by authorised individuals and should not be shared without the consent of the person(s) in the footage. It is important that HOAs implement the appropriate retention periods and access controls as residents may have legitimate questions about how long the CCTV footage or logs are stored, who has access to the information, who it is shared with and how else it is used. If there is no transparency, no consent mechanism is in place or excessive amounts of personal information are collected, this can lead to privacy-related issues.

Like all organisations, HOAs must notify individuals of the above uses of their personal information through a clear, easy to understand privacy notice, taking all reasonably practicable steps to ensure it is provided before or at the time of collection of personal information. However, with respect to the use of CCTV, this can be difficult in certain circumstances, such as if the camera is covering a wide public area, so it must be considered carefully to ensure a true notice is provided. Individuals affected by video-surveillance must be informed about key details, such as the existence of the monitoring, its purpose, and the length of time for which the footage is to be kept and by whom. Additionally, separate CCTV signage may be necessary. The privacy notice must include all uses of residents’ personal information, including which other organisations or third parties it is shared with.

The organisation should determine who should be the privacy officer (PO) who helps with the privacy programme and also performs other tasks such as train other HOA members on privacy. The PO also helps identify members of an internal Privacy Committee: in the case of HOAs, this could be members who have responsibility for or some connection to handling personal information. Through policies and procedures that have to be updated throughout the life cycle of personal information, the PO and members of the Privacy Committee document activities, duties, responsibilities, as well as expectations with respect to how the organisation and the various roles within the organisation use personal information. The PO’s contact details must be included in the privacy notice so that residents can contact the organisation about their privacy rights, concerns, or complaints, or to ask questions about the organisation’s information handling policies and practices.

2.      Access to information about units and maintenance records

Building management and maintenance services may need to enter the individual housing units for inspections, repairs, or emergencies. To do that, they need to have access to keys, entry logs or maintenance requests and records. Unauthorised access to units or records is a privacy risk, raising concerns about unauthorised entry or improper sharing of information regarding residents’ living conditions, personal issues or health-related concerns. To mitigate these risks, it is recommended that HOAs adopt appropriate policies and procedures with respect to role-based access and put in place adequate security safeguards.

3.      Engaging third parties

Organisations may work with management companies, law firms or other third-party contractors and share residents’ personal information with them. It is essential for organisations to ensure that proper safeguards and protection agreements with third parties are put in place. It is the organisation, not the third party, who is ultimately responsible for potential security incidents and data breaches.

4.      Communication via email, digital platforms and social media

HOAs may use mailing lists, group chats and/or other online communication channels and platforms to manage operations. They may also need to communicate about meetings, fees, and/or disputes. Distribution of meeting minutes, complaint records or the results of voting – either physically or electronically by email or other means – could expose residents’ personal grievances, private matters or financial struggles. To find out some practical privacy enhancing tips regarding use of email, read our guidance note Maintaining privacy in email communication.

Email lists and message boards may lead to unsolicited communication or harassment. Using social media to engage residents may lead to unintentional disclosure of personal information. Weak security safeguards and cybersecurity measures like weak passwords or lack of encryption can lead to breaches of personal information, exposing residents’ information to unauthorised access, misuse, identity theft, financial fraud, and reputational, emotional or other harm. Additionally, complaints against residents could be mishandled and lead to unauthorised disclosure.

The principle of proportionality, or data minimisation – that is, using only the absolute necessary minimum of adequate and relevant personal information – should be observed. When too much personal information is shared, for example listing arrears in a newsletter and attributing them to individuals, residents may feel their privacy has been breached. It is important to check the bylaws in order to determine whether such use of personal information is in accordance with the governing documents.

Bylaws and privacy

Condominiums and housing association boards (organisations) regulate relations between resident board members by governing documents such as bylaws or articles of incorporation (or articles of association). It is good practice to incorporate privacy into such governing documents from the outset: a concept that is also called Privacy by design. If your bylaws do not contain privacy-related provisions, it is recommended that HOAs incorporate them in line with the requirements of PIPA.

Bylaws may include the following privacy-related provisions:

• Consent: Individuals’ consent, which can be withdrawn, is one condition that allows organisations to use personal information – but it is not the only one. Other conditions for using personal information include, for example, fulfilling a legal obligation, contractual necessity, or in relation to employment. Organisations should make sure they identify one or more conditions for using personal information that they are required to meet under PIPA section 6.

• Confidentiality: Bylaws should require board members, property managers and maintenance staff to keep resident information confidential.

• Communication guidelines: With privacy as a guiding principle, bylaws should establish rules for sharing minutes of meetings, dispute resolution and complaints handling, or matters related to fees or other issues.

• CCTV and access rules: Bylaws and the privacy notice should define the purpose of using CCTV, key fob logs, and entry permissions, specifying the roles that need to have access to the information, and ensuring PIPA compliance.

• Privacy notice (required under section 9 of PIPA): A privacy notice informs individuals what personal information the organisation collects or may collect and which other organisations or third parties the information is shared with. The privacy notice must include the contact details of a privacy officer so that individuals can contact the organisation about their privacy rights, concerns, or complaints, or to ask questions about the organisation’s information handling policies and practices.

• PIPA rights requests: Under PIPA, individuals have the ability to ask organisations questions, such as what information they have or how they use it. If the organisation no longer has a need to use the information for a specific purpose, the individual could request they delete it. These rights are not absolute and have exceptions when the organisation has a reason to keep personal information under the law. HOAs should make sure that their privacy officer is ready to answer these requests, because there is a 45-day time limit to respond.

  
  

  More details can be found in the Guide to PIPA and Individuals Guide to PIPA.