Third-party landlord organization collected, used and disclosed tenants’ personal information without their consent

PIPEDA Case Summary #2009-017

[Principles 4.3, 4.5, 4.7 and 4.7.3(c); Paragraph 7(3)(b)]

An advocate for tenants’ rights complained that, without obtaining proper consent, an organization was collecting, using and disclosing sensitive personal information about tenants for various purposes. This personal information was disclosed to the organization’s paying members (i.e., landlords). It was available from the organization’s web site, and, at one point, a portion of it was available to anyone with access to the Internet.

The Assistant Commissioner found that since both the organization and the landlords were collecting, using or disclosing the information, they were both required to ensure that proper consent from the individuals was obtained for the purposes to which the information was being applied. As a third party, the organization must ensure that the information had been collected from tenants with their knowledge of and consent for the purposes explained at the time of the collection. The Assistant Commissioner also determined that, for the most part, the documents used by the organization and the landlords were not adequate to inform tenants or prospective tenants how their personal information would be used or disclosed; neither could these documents be considered a valid consent form for these purposes. Although the Assistant Commissioner made recommendations to the organization, we were unable to follow up on them because the organization is no longer active.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

A) Collection, use and disclosure

The organization offered various services to landlords, in exchange for membership fees. The services included conducting tenant background checks, and tracing and tracking tenants. Also, on its web site, the organization compiled and managed two lists of tenants’ personal information: the “bad” tenant list and delinquent tenant list. This information was available to members.

The membership agreement with the organization stipulated that members were obliged to provide the personal information about their potential, current or former tenants to the organization for two tenant lists. Landlords had to notify the organization of delinquent tenants, provide proof of delinquency (by various means), and authorize the organization to have the tenant’s credit report updated. This information was pooled by the organization and added to one or both of the two tenant lists. Other types of information requested by the organization of its landlord members included the tenants’ social insurance number, date of birth, address, beginning of tenancy, date of last payment, amount owed by the tenant to the landlord, the rental/lease rate and frequency, and the tenant’s employer. 

Previously, the organization had agreed to remove the bad tenant list within 90 days and replace it with a system that complied with PIPEDA. However, it appeared that the bad tenant list was still available.

Knowledge and consent:

The tenants themselves did not have any opportunity to provide consent to the organization for its collection, use or disclosure of their personal information. On the other hand, the organization did inform its members in its membership agreement that members needed the consent of individuals before requesting their credit and rental history information from the organization (for example, when doing a tenant background check).

For landlords to collect tenant personal information, the organization relied on several forms that it provided to member landlords. One of these forms (for use within Ontario) is the Ontario Residential Property Application Form. It requests a number of pieces of personal information from the potential tenant, including social insurance number, date of birth, and banking information.

Another form that members could use was the rental agreement form. It contained no reference to the fact that tenants’ personal information could be added to a bad tenant’s list compiled by the organization, nor that the information would be made available on the organization’s web site in the event of unpaid rent or property damage. The form did not mention either that personal information could also be used to update the tenant’s credit report with a credit bureau, which was a usual practice. 

B) Safeguards

The complainant also alleged that the organization was not appropriately protecting the personal information it had collected and retained. Specifically, it was alleged that sensitive personal information was publicly accessible via the delinquent tenant list on the organization’s web site. An employee of a tenants association had discovered that by changing the identification number in a uniform resource locator (URL) from the organization’s web site, he was able to access over 1300 recent case files of tenants from that list. The information included the names, addresses, telephone numbers of these individuals as well as other potentially sensitive or stigmatizing information, such as whether they were receiving public assistance, known to use alcohol or drugs, carried a debt load, or had difficult personal relationships.

Before our investigation into the matter was completed, the organization had taken steps to adequately protect the list. As a result, it was no longer available to any person simply by virtue of their accessing the URL.

Findings

Issued December 11, 2009

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Paragraph 7(3)(b) states that an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is for the purpose of collecting a debt owed by the individual to the organization. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.  Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.3(c) states that the methods of protection should include technological measures, for example, the use of passwords and encryption.

In making her determinations, the Assistant Commissioner deliberated as follows:

A) Collection, use and disclosure

• The organization can be considered a third party since it was not directly collecting personal information of tenants from tenants, nor was it disclosing such information to tenants. Instead, the organization routinely received the personal information from landlords, who had collected it from their tenants or prospective tenants. In turn, the organization would then use this information or disclose it to other members.
• As a third party, what are the organization’s obligations with regard to consent? When handling third-party personal information and complying with Principle 4.3, an organization must demonstrate due diligence. At a minimum, for an organization to demonstrate due diligence with respect to consent, it must use appropriate contractual terms stipulating that its members are obtaining appropriate consents. It can also require proof that consent has in fact been obtained. Our case summary #2003-182 summarizes our position in this regard.
• Presumption of having obtained consent may be sufficient in some cases. In case summary #2003-188, a credit agency’s standard service contract with its members set out the members’ obligation to obtain the consent. Thus, our Office determined in that case that it was reasonable for a credit agency to presume that individuals’ consent had been obtained by members who had agreed to the terms of the contract.

Suitability of contracts, agreements and forms:

• In the present case, the organization offered tenant background checks for landlords (described as including credit checks, eviction searches, banking and employment confirmation, and tenancy history).  We noted that the organization’s service contract (i.e., membership agreement) did require landlords to have the consent of tenants before requesting information from the organization about applicants’ credit history and rental history. Therefore, the Assistant Commissioner determined that it was reasonable for the organization to presume that landlords who had agreed to the terms of the contract had sought prior consent from tenants for these purposes. However, she noted that the organization was negligent in not mentioning in the service contract a landlord’s obligation to obtain tenant consent when collecting tenants’ personal information for the purpose of updating credit histories with a credit agency, or for adding the information to the bad or delinquent tenant lists.
• In the Assistant Commissioner’s view, it was clear that landlord members also need to ensure that they have the correct consent for such collection, use and disclosure of their tenants’ personal information.
• Did the tenant forms provided by the organization assist landlords in fulfilling their obligation of obtaining tenant consent? The Assistant Commissioner determined that the two forms to be completed by tenants did not adequately inform nor obtain consent with regard to the purposes for which the information was either being collected by landlords or would be later used or disclosed by them or the organization. Since information was being collected for purposes not explained in the forms, Principle 4.5 was contravened.
• Regarding the first form, the Ontario Residential Property Application Form, it outlines the purposes and contains consent language permitting the landlord to conduct the inquiry as well as permitting third parties, such as banks or references, to provide the information to the landlord. However, it did not contain language that indicated in any way that―or how―tenant information would be later used and disclosed by third parties such as the landlords’ organization.
• Secondly, in the rental agreement form, it was stated that tenants’ personal information that could be provided to a landlord for a background check was intended to be used to assist in determining a tenant’s eligibility to rent or lease, to collect rent owing, trace or track tenants, and for “employment alerts”. However, there was no specific reference to how the tenant’s personal information―whenever rent is not paid or property is damaged―could be added to the organization’s bad tenant list. Further, the rental agreement form did not indicate that personal information could be sent to the organization for the purpose of updating the tenant’s credit report with a credit bureau.
• Finally, the Assistant Commissioner considered whether any of the exceptions to consent under Principle 4.3 could apply.  One exception appeared potentially relevant to the circumstances: Paragraph 7(3)(b) allows an organization to disclose an individual’s personal information without the knowledge or consent of the individual only if the disclosure is for the purpose of collecting a debt owed by the individual to the organization. However, it was unclear to the Assistant Commissioner how placing an individual’s name on a database of bad or delinquent tenants, and making this information available to other landlords, assists in collecting a debt from that individual.  What is more, during our investigation, the organization was uncooperative in clarifying the matter.  Therefore, the Assistant Commissioner determined that none of the exceptions to consent under Principle 4.3 applied.

B) Safeguards

• Although our investigation established that the personal information of over 1300 individuals accessible from the web site had not been adequately protected by the organization, the Assistant Commissioner determined that the problem had been remedied and that acceptable safeguards had since been put into place with regard to the delinquent tenant list.
• Given the unresolved issues related to consent, the Assistant Commissioner made the following recommendations:
  • Revise the membership agreement to make it clear that landlords must obtain meaningful tenant consent to disclose personal information to the respondent.  The revised agreement should also contain the requirement that landlords provide written confirmation of obtaining tenant consent;
  • Revise the rental agreement form to include a specific consent provision for disclosures to the respondent of tenant history personal information;
  • Confirm that the bad tenant list, or any other such compilation of personal information, has been dismantled;
  • Confirm that any and all other lists will be dismantled unless the respondent can show that meaningful consent of tenants had been obtained;
  • Confirm that the delinquent tenant list has been appropriately protected.
• The Office was unable to follow up on the recommendations as the organization is no longer active.

Conclusion 

The Assistant Commissioner concluded that the complaint concerning consent was well-founded.  The complaint relative to safeguarding was resolved.

Other 

Following our investigation, the matter was referred to both the British Columbia and Alberta Offices of the Information and Privacy Commissioner. Alberta has launched an investigation into the activities of a similar organization. The B.C. Office is monitoring landlords services within its jurisdiction.

See also

Case summaries #2003-182 and #2003-188.