The Privacy Commissioner for Personal Data (“PCPD”) recently issued a new Guidance Note for the Property Management Sector, in response to a series of recent complaints concerning the collection, retention, use and disclosure of personal data by property managers. It provides important guidance for property managers on complying with the Data Protection Principles (“DPP”).
Under DPP 4(1), property managers should ensure that the personal data they collect is adequate but not excessive for the purpose for which it is collected. Under DPP 1(3), data subjects should also be provided with a “Personal Information Collection Statement” at the time of collection.
Recording HKID numbers of visitors is not an uncommon practice in the property management sector. However, the PCPD considers that imposing a mandatory requirement for visitors to supply their HKID numbers is a contravention of DPP 4(1). Property managers therefore, ought to consider adopting other (where practicable) less privacy-intrusive methods to verify visitors’ identities. For example, HKID cards could simply be sighted, rather than recording the HKID number. Alternatively, other forms of identification could be used.
DPP 2(2) requires that personal data shall not be kept longer than is necessary to fulfil the purpose (including any directly related purpose) for which the data is or is to be used. Often, property managers do not specify the retention period for personal data they have previously collected, which is regarded by the PCPD as a breach of DPP 2(2). Property managers should prepare a retention policy for the personal data they collect.
Property managers should also ensure that personal data they hold is not at risk of unauthorised or accidental access, processing, erasure, loss or use. Access to personal data should be on a “need-to-know” basis, and practical measures must be taken to control access (such as establishing access rights or setting password protected access).
Extra caution should be exercised to avoid data leakage and/or inappropriate online disclosure of residents’ personal data (when, for example, communicating with staff or residents through communication apps). If property managers wish to use cloud services, they should carefully assess the reliability of their suppliers and contractors or subcontractors and their services, the security measures in place, and whether the terms and conditions set out in the contracts with them meet all of the requirements of the DPPs.
Some property managers have adopted the practice of posting overdue notices on public notice boards, which display the full names and addresses of owners who have management fees in arrears. According to the PCPD, this practice contravenes DPP 3(1), which provides that data users must ensure that the use of personal data is confined to the purpose for which the data was originally collected and/or for a directly related purpose.
The PCPD also observed that there are instances where, when asked to handle inter-resident disputes, property managers might reveal a resident’s phone number to another resident without the consent of the first resident. To comply with DPP 3(1) in this situation, property managers should inform the complainant:
- that their personal data will be used for handling matters relating to the complaint; and
- that their personal data may be disclosed to other residents.
To avoid misunderstanding, the PCPD recommends that property managers go further than this and obtain the complainant’s written consent to disclosure, before revealing personal details to a third party.
Another common breach of DPP 3(1) identified by the PCPD, is the display of property owners’ full names and addresses in common forms or logbooks that can be easily seen by passers-by.
Property managers should seek to ensure that previous entries in the visitors logbook are concealed from subsequent visitors or irrelevant parties, and that personal data recorded in the logbook is deleted as soon as practicable after the collection purpose is fulfilled. In relation to the display of notices containing personal data, property managers should carefully consider the necessity, extent and duration of their publication. Individuals’ HKID numbers and contact information should never be displayed in public places.
If property managers wish to install CCTV surveillance cameras in common areas of their managed buildings, all visitors must be explicitly notified that they are subject to CCTV surveillance. The notices should contain details of the data user operating the CCTV system and the specific purpose of the surveillance. CCTV cameras should be clearly visible or marked, and should not be located in areas in which privacy would be expected, such as changing rooms. The property manager should also have policies on the retention and security of personal data collected via CCTV surveillance.
As an industry that collects and uses a large volume of personal data of owners, residents and visitors, property managers need to take particular care to ensure they comply with the DPPs in handling that data. The release of industry-specific guidance by the PCPD suggests that the regulator is keeping a close eye on the industry. It would therefore be prudent for property managers to review the guidance carefully and implement its suggestions.