10 privacy tips for the rental housing sector
May 2016
Given the sense of sanctuary associated with one’s home, it is little surprise that Canadians have a raised expectation of privacy when it comes to matters related to their accommodations. At the same time, owners of rental housing units have a legitimate interest in ensuring the safety and security of both renters and property—which may necessitate the collection, use and disclosure of personal information.
The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, recognizes both the privacy rights of individuals and the need for organizations to collect, use and disclose personal information. To help organizations strike the right balance, the Office of the Privacy Commissioner of Canada has created this tip sheet which outlines the most common privacy dilemmas in the rental housing sector.
Application/Move-In
1. Limit collection, especially of sensitive information (such as Social Insurance Numbers (SIN))
An application form often marks the first formal collection of personal information about a renter. This form should be clear about why personal information is being collected, and it should only ask for information that is necessary. In particular, our Office has recommended that private sector organizations not request SIN numbers and that individuals who are asked for it, not provide the information to private sector organizations, unless the organization is required by law to request it. Organizations that request SIN outside of a legal requirement must clearly mark it as optional. For instance, while a SIN may be helpful for differentiating between people with the same name when requesting a credit check, it is not required – and thus its provision must be optional.
2. Be cautious with informal background checks
Landlords should get consent for obtaining and providing reference and/or background checks. Informal checks – such as viewing an applicant’s Facebook page, or consulting another landlord about the prospective tenant – count as a collection of personal information, and thus must be done in accordance with PIPEDA. If such checks are done without the knowledge and consent of the applicant, you must be able to show which of PIPEDA’s grounds for collection without consent is applicable, and why you cannot meet your purpose by less invasive means. In general, we would advise against turning to social networks as a means of conducting background checks.
3. Have appropriate protections for collected information
Applicants are entrusting you with their personal information—and in many cases, this is detailed information which, in the wrong hands, can cause harm, such as identity theft. Ensure that this trust is well-placed by implementing appropriate protections, including, but not limited to, locked cabinets for paper documents and passwords and encryption for electronic documents. As well, in both cases, reduce potential exposure by limiting the collection of information and allowing access to only those who need the information.
4. Think about disposal right from the start
Information should not be retained indefinitely; you should have a plan in place for the disposal of personal information when it is no longer needed. Disposal must be done appropriately. We have seen too many incidents of documents being thrown in the recycling bin, or falling off the back of a truck, only to be found by a passersby. Information should be destroyed, such that it cannot be recovered or reconstructed.
5. Only collect, use and disclose personal information for purposes you’ve made clear to the tenant
Except in limited and defined circumstances, the individual’s knowledge and consent is required for the collection, use or disclosure of his or her personal information. This, in turn, means that you have to tell that individual why you are collecting, using or disclosing their information. Even where you believe you are doing something beneficial—such as providing contact information to a service provider to pre-arrange installation—you must request and obtain consent for that purpose.
During Rental/Lease
6. Be clear about surveillance, and use it judiciously
Video surveillance of the premises or building can be a point of tension for residents. On one hand, they may appreciate the security that comes with it; on the other, they don’t want to feel watched in their own homes. You can take steps to help mitigate this tension and meet your obligations under PIPEDA. First, post signs and distribute policies that clearly explain how the footage will be used, when it will be accessed and so forth. Next, be cautious in positioning the cameras so as not to capture the inside of a person’s unit. Finally, secure the footage - monitors and/or recorded footage should be secured, and only accessed for the purposes you have defined.
7. Obtain consent for photography within units
There may be very specific occasions for which you require photographs of the interior of an individual’s unit, for example, if pictures need to be taken for an insurance inspection. A landlord that has to take a photograph inside an individual’s apartment can be collecting the renter’s personal information, which requires that person’s knowledge and consent. Even in these very specific circumstances, be careful not to indiscriminately take photos, and put in place safeguards to protect the information.
8. Answer renters’ questions
In many instances, the escalation of a privacy issue can be avoided by: (a) being upfront about the collection, use and disclosure of personal information, and (b) having a means by which individuals can receive answers to any follow-up questions. You should have a privacy policy that details your personal information handling practices and includes a name and contact information for follow-up questions. This document should also describe the process for individuals to gain access to their own personal information – a process that should be supported by internal documentation and staff training on how to fulfill such requests.
Move out
9. Don’t shame ‘bad’ tenants
Despite best efforts, a rental relationship may not go smoothly. From your perspective, the tenant may have been disruptive or damaged the unit, had a poor payment history, or other factors. However, this does not give you the right to disclose this information by, for instance, contributing to an unregulated ‘bad tenants list.’ Formal and regulated mechanisms, such as credit agencies, may be notified in appropriate circumstances; however, ‘vigilante’ actions are seldom, if ever, permitted by law.
10. Debt collection is not a blank cheque for disclosure
Lastly, there are certain exceptions to PIPEDA’s consent requirements for disclosure of personal information to pursue a debt. It is important to keep in mind that these are limited to, among other factors, purposes that a reasonable person would consider appropriate under the circumstances. For instance, in past investigations our Office has found broad disclosure of detailed information about an outstanding debt to an individual’s family members, co-workers or on social media, to be wholly inappropriate.
Guidance documents and relevant resources
- Best Practices for the use of Social Insurance Numbers in the private sector
- Personal Information Retention and Disposal: Principles and Best Practices
- Guidelines for Overt Video Surveillance in the Private Sector
- Tips for containing and reducing the risks of a privacy breach
- Privacy Guide for Businesses
Findings related to landlords
- Property management company agrees to scrap “bad tenant list” (PIPEDA Case Summary #2016-002)
- When using video surveillance: security needs must respect privacy requirements (PIPEDA Case Summary #2010-008)
- Third-party landlord organization collected, used and disclosed tenants’ personal information without their consent (PIPEDA Report of Findings #2009-017)
- Landlord Tenant Board Order addressed concern of privacy complaint, enabling investigation to be discontinued (Discontinued Case Summary #2013-001)
- Photographing of tenants' apartments without consent for insurance purposes (PIPEDA Case Summary #2006-349)
- SIN not required when signing apartment lease (Settled case summary #19)
- Caretaker reveals that tenant’s cheque has bounced (Settled case summary #23)
- Insurance company requires property owners to collect tenants' personal information (PIPEDA Case Summary #2006-343)
Other relevant findings
- Condo security company did not misuse security camera system, but improved personal information safeguards (PIPEDA Case Summary #2007-376)
- Husband’s financial information disclosed to wife’s lawyers by accounting firm improperly complying with Summons to Witness (PIPEDA Case Summary #2009-005)
- Collection agency can't refuse access to personal information on basis that it would be provided as part of a legal proceeding (PIPEDA Report of Findings #2014-017)
- Excessive disclosures in the pursuit of a debt (PIPEDA Case Summary #2004-282)
- Bank accused of withholding information on customer's debt payments (PIPEDA Case Summary #2002-36)
- Date modified: