On January 1, 2001, the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") came into force in relation to certain types of entities. The objective of PIPEDA is to establish parameters to govern the collection, use and disclosure of personal information in a manner that recognizes privacy rights of individuals in respect of their personal information but balances those rights with the needs of organizations to collect, use and disclose personal information in reasonable ways.

When PIPEDA first came into force and effect, its application was primarily limited to certain prescribed types of federal or extra provincial entities only (eg. banks).

As of January 1, 2004, Part I of PIPEDA, that is the section dealing with the collection, use and disclosure of personal information will apply to any "organization" in respect of the personal information that it collects, uses or discloses within a province unless there exists provincial legislation that meets the PIPEDA thresholds.

When does PIPEDA apply? Does it apply to condominium corporations? Does it apply to property management companies?

PIPEDA applies to an "organization" that collects, uses or discloses "personal information" in the course of conducting "commercial activities". For clarity, an "organization" includes an association, partnership, person and a trading name. "Personal information" means information about an identifiable individual. This in essence means that where the identity of a person can be ascertained from the information, that information will be deemed to be personal information for the purposes of PIPEDA. A "commercial activity" means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character. We note that there is no requirement that there be an intention to make a profit.

Does PIPEDA apply to condominium corporations? PIPEDA does not directly address this question. Technically, a condominium corporation could fall within the broad definition of "organization", however since a condominium corporation is a not-for-profit organization it is arguable whether the activities undertaken by the condominium corporation could truly be "commercial activity" for the purposes of PIPEDA since a condominium corporation's activities are statute driven. However, an argument may be attempted that the collection of common expense arrears could be considered a commercial activity even though there was no profit involved, there is obviously an element of "commerce" involved in the debt collection process.

Pursuant to Schedule 1 of PIPEDA, an organization is responsible not only for information in its possession or custody but also that which is transferred to a third party such as a law firm or property management company.

Does PIPEDA apply to property management companies? Organizations which use personal information to services to another organization must also meet PIPEDA standards. Property managers, in order to collect common expense arrears and to carry out the other activities for which they are being compensated for by a condominium corporation must collect, use and sometimes disclose personal information. Accordingly, it is critical that property management companies, irrespective of whether condominium corporations are subject to PIPEDA should, ensure that their policies and procedures dealing with the management of personal information comply with the thresholds of PIPEDA.

This is crucial not only because of the legal obligations created by PIPEDA, but also because condominium corporations should, to protect themselves, also be looking to satisfy themselves that property management companies have in place adequate policies and procedures to address PIPEDA thresholds.

Schedule 1 to PIPEDA sets out the National Standard of Canada Model Code for the Protection of Personal Information (the "Code"). Briefly, the essence of the principles are as follows:

4.1 Principle 1 - Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

4.2 Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

4.3 Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

4.4 Principle 4Ð Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

4.5 Principle 5 Ð Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

4.6 Principle 6 Ð Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

4.7 Principle 7 Ð Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

4.8 Principle 8 - Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

4.9 Principle 9 - Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

4.10 Principle 10 - Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

In order to effectively establish a privacy/personal information management policy and related procedures, an organization must first examine its own use of personal information. That is, where in its commercial activities does it use, collect or disclose personal information. This task is often best left to the person who is in charge of ultimately ensuring the development, implementation and compliance of the actual privacy policy for the organization. The same party should then be accountable for developing the procedures used to effect the policy and compliance. Having a privacy policy, without implementing it, is of no value. Implementation requires, at a minimum, informing and training employees in respect of the organization's privacy policies and procedures in respect of the use, collection and disclosure of personal information.

In the condominium industry, the most obvious use of personal information is in the collection of common expense arrears. Property management would be wise to focus on ensuring that the necessary procedures are in place to address the ongoing need for the protection of the personal information contained in the records of the condominium corporation that are used by the property manager. Property managers would also be well advised to ensure that they have the permission of the condominium corporation via board resolution to collect, use and disclose the personal information in the course of executing their duties.

Another key question is whether it is necessary to obtain the consent of a unit owner before using his or her personal information to assist in managing and administering the affairs of the condominium corporation. Fortunately, pursuant to regulations made under PIPEDA, no consent is required where the personal information in question appears in a registry collected under statutory authority and to which a right of public access is authorized by law, and collection, use and disclosure of the personal information relate directly to the purpose for which the information appears on the registry. Information registered under the Land Titles Act or Registry Act of Ontario has been registered for the purpose of indicating ownership to a piece of real estate such as a condominium unit. This objective, together with the obligations of a unit owner under the Condominium Act may justify a position taken by both a condominium corporation (if PIPEDA applies) and a property manager that use of the information is reasonable and that no consent is required from the individual because it is being used for the reason it was provided.

However, as noted from the ten principles above, consent is only one aspect in the management of personal information. Condominium corporations must ensure that their property management companies do not use personal information from the records of the condominium corporation for any other purpose other than for the purpose of enforcing the condominium corporation's obligations under the Condominium Act. The selling of resident lists or any other commercial activity would be strictly prohibited without proper consent and would be in contravention of PIPEDA and subject to penalty.

Condominium corporations should satisfy themselves that their property managers are well informed of the obligations under PIPEDA and have implemented the necessary policies and procedures within their own organizations to ensure that there is no prohibited or unauthorized collection, use or disclosure of personal information.

Please contact us if you would like to learn more about the area of privacy and how it will affect you.