Privacy Policies a Board Must Implement
Condominium corporations in Alberta must comply with the Personal Information Protection Act (PIPA) and implement privacy policies to ensure the protection of personal information.
WHAT YOU'LL LEARN
Privacy Policies a Board Must Implement
Differentiating Personal Information from Confidential Information
Evaluating the Effectiveness of Privacy and Cybersecurity Policies
Privacy Policies a Board Must Implement
Condominium corporations in Alberta must comply with the Personal Information Protection Act (PIPA) and implement privacy policies to ensure the protection of personal information.
Required Privacy Policies
Purpose Limitation:
Policies must define why personal information is collected, used, or disclosed.
An organization may collect, use, or disclose personal information only for purposes that are reasonable and only to the extent necessary for meeting those purposes.
Security Measures:
Policies must include steps to protect personal information from unauthorized access, use, or disclosure.
An organization must make reasonable security arrangements to protect personal information against such risks as unauthorized access, collection, use, disclosure, copying, modification, or disposal.
Retention and Disposal Policies:
Organizations must include timelines for retaining personal information and methods for secure disposal.
An organization must retain personal information only for as long as it is reasonable to fulfill the purposes for which the information was collected.
Access Requests:
Policies must outline procedures for individuals to request access to their personal information or corrections.
An individual has a right of access to their personal information that is in the custody or under the control of an organization.
Differentiating Personal Information from Confidential Information
In condominium management, it is important to differentiate personal information (protected under PIPA) from confidential information (related to contractual agreements or fiduciary duties).
Definitions
Personal Information (PIPA):
Information about an identifiable individual, including name, contact details, age, gender, financial details, and property ownership.
'Personal information’ means information about an identifiable individual, but does not include the name, title, or business contact information of an employee of an organization.
Confidential Information:
Information shared under contractual or fiduciary obligations, such as trade secrets, financial records of the condominium corporation, or proprietary information from service providers.
Confidential information is often governed by contracts and the condo board’s fiduciary responsibilities, rather than privacy legislation.
Comparison Table
Aspect | Personal Information (PIPA) |
Definition | Identifiable information about an individual. |
Legislation | Governed by PIPA. |
Examples | Name, contact info, unit ownership details. |
Aspect | Confidential Information |
Definition | Sensitive data shared under contractual obligations. |
Legislation | Governed by contracts, agreements, and fiduciary duties. |
Examples | Vendor pricing, board financials, trade secrets. |
Scenario-Based Analysis:
Scenario: A condominium manager receives an access request for the financial records of the board’s reserve fund.
Question: Does this request pertain to personal information or confidential information?
Answer: This is confidential information, as it pertains to board financial records and is not personal information under PIPA.
Evaluating the Effectiveness of Privacy and Cybersecurity Policies
Condominium corporations must assess the effectiveness of their privacy and cybersecurity policies regularly to ensure compliance with PIPA and protect sensitive information from breaches.
Evaluation Criteria for Privacy Policies
Clarity and Transparency:
Do the policies clearly outline the collection, use, and disclosure of personal information?
An organization must notify an individual of the purpose for which their personal information is being collected.
Security Controls:
Are reasonable security measures in place to protect personal information?
An organization must make reasonable security arrangements to protect personal information against such risks as unauthorized access, collection, use, disclosure, or disposal.
Incident Response Plans:
Are there procedures for responding to data breaches or unauthorized disclosures?
Retention and Disposal:
Are there clear guidelines for how long personal information is retained and how it is securely disposed of?
An organization must destroy or anonymize personal information once it is no longer required for legal or business purposes.
Evaluation Exercise:
Scenario: The board’s privacy policy outlines how personal information is collected but lacks details on secure disposal methods.
Question: What aspect of the privacy policy needs improvement?
Answer: The retention and disposal section requires more detail to comply with PIPA.
