Balancing Access to Sensitive Information
By Jennifer Barnett
During the course of their tenure on an association’s governing board, board members will come into possession of a seemingly endless amount of information. While owners are entitled to access the association’s books and records regarding the general operation and management of the association, there are certain categories of sensitive information that board members should safeguard and protect from disclosure.Among those categories of information, are information and materials that are protected by attorney-client privilege, which was previously addressed in depth in a recent alert. Other categories of sensitive information that a board may come into possession of, include:
- Delinquency reports;
- Reasonable accommodation requests;
- Employee records; and
- Personal owner information.
In all of the above-referenced categories , boards must balance their obligations to keep owners informed of association business and safeguarding information which could potentially expose the association to liability if improperly disseminated.
DELINQUENCIES
The association’s financial health depends on the proper assessment and collection of common area fees. While owners may be informed about the total amount of common area fees collected and outstanding, board members should not disclose specific unit owner assessments or delinquencies, nor should board members disclose details about negotiations with these owners, including payment plans. Moreover, even when a lien enforcement action to recover common area fees is pending before a court, board members are still discouraged from discussing the same with anyone outside of the litigation.Association managers typically produce monthly information packages for board members containing invoices, records of bills paid, collection totals and other financial details. Much of this information can be shared with owners upon request, but not all of it. To that end, board members should refrain from disseminating and disclosing detailed information about individual accounts (aside from that belonging to the specific owner so requesting), including their payment histories and delinquency status. All of this owner-specific information should be redacted before the reports are circulated to owners, inserted in the minutes, posted on the association’s web site, or otherwise distributed outside of the board.
REASONABLE ACCOMMODATION REQUESTS
Generally speaking, a person is handicapped or disabled if: 1) they have a physical or mental impairment that substantially limits one or more major life activities (i.e. the condition limits their ability to walk, speak, hear, breath, learn or work); 2) the person has a record of such a physical or mental condition; or 3) the person is regarded as having such a condition (meaning that the person is viewed and/or as suffering from physical or mental disability, even if not formally diagnosed).The most common types of requests made to a board for a reasonable accommodation are to keep an emotional support or service animal in an association where animals for prohibited, but requests for reasonable accommodations are not limited to any specific type of accommodation or modification if the same is related to a resident’s disability and necessary for that individual to have an equal opportunity to enjoy and use the association. When presented with a request for a reasonable accommodation or modification, boards must evaluate each request fairly, uniformly, and on a case-by-case basis. While boards are entitled to ask for certain information to verify the legitimacy of the request, there is a limitation on the information that boards may request, and boards should not disclose the information received to anyone outside of the board, under any circumstances. Often times, board members are asked why another resident is permitted to avoid strict compliance with the association’s governing documents, i.e., in the case of a resident having an animal in a no-pet community, and in such case, the board should simply state that a request for a reasonable accommodation was made, and granted, without disclosing any details about the resident’s handicap or disability or the information provided in support thereof.
EMPLOYEE RECORDS
Employee personnel records contain private and sensitive information, including performance reviews, medical reports, and disciplinary actions, which should not be disclosed to owners or anyone who does not have a legitimate need for such information. For that reason, the personnel file should be kept separate from payroll information (job description, salary, promotions, etc.), which can be shared with owners.Employees also have general privacy rights that boards are required to protect. Like reasonable accommodations granted in the context of housing, employee requests for reasonable accommodations in the workplace should be treated as confidential, such as sensitive personal information such as Social Security Numbers, bank accounts, etc. Underscoring that point, is a recent case involving the breach of a computer system, wherein the Pennsylvania Supreme Court ruled that “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information….”Credit checks and criminal background also create additional concerns. The results of these investigations should be stored in confidential files, access to which should be strictly limited. Some state laws also limit the extent to which employers can use information gleaned from criminal background checks in their hiring decisions, and associations and board members may be exposed to serious criminal and civil sanctions for violations of the applicable laws and regulations pertaining to the same.Owners may be entitled to know how much employees are being paid, if the employee is being paid directly by the association, and what duties they are expected to perform. But disclosing performance reviews, reprimands, disciplinary actions and similar information would expose the board to potential legal liability, because evaluations may be contested and revised and disciplinary actions may be reversed. Employees who are criticized unfairly or wrongly accused of infractions might sue for defamation if those complaints are made public, published or otherwise disclosed.Moreover, personnel files should remain confidential after an employee’s departure, in order to limit an employer’s exposure to a claim for defamation by the former employee. Conditional privilege may be available to board employer to disclose negative information concerning an employee when such disclosure is reasonably necessary to serve the employer’s legitimate interests, i.e., whether an employee can actually perform the duties of the position. However, conditional privilege does not apply (and will not be a viable defense to a claim for defamation) if the negative statement is made recklessly (i.e., with no effort to determine whether a statement is even true) or if the statement is made with actual malice. Conditional privilege also does not apply if the board employer makes the statement to people who have no legitimate interest in the information (i.e., the discharge of a manager is communicated to the company’s office supply vendor).When contacted for employment references of past employees, board employers are encouraged to err on the side of caution and only provide neutral references (i.e., dates of employment and positions without commentary). If an employee asks for a substantive reference letter (and the board employer does not have an express policy prohibiting the same), the reference letter should only be sent upon the employee’s execution of a written reference authorization and waiver of liability in advance of producing the same.
PERSONAL OWNER INFORMATION
Laws in most states, including Massachusetts, require that any person who receives, stores, maintains, processes or otherwise has access to personal information acquired in connection with employment or with the provision of goods or services has a duty to protect that information. Personal information includes a surname, together with a first name or initial, in combination with one or more of the following three data elements pertaining to that person: Social Security Number, driver’s license or state-issued identification card number or financial account or credit or debit card number, with or without any other data element, such as a code, password, or PIN, thatwould permit access to the person’s financial account. The term “personal information” does not includes information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.Among the safeguards to be considered are:
- Designation of the individuals who will oversee and maintain the information;
- Analysis of: The reasonably foreseeable risks to the security, confidentiality and integrity of records, in any form, that contain personal information; the effectiveness of any current safeguards for limiting those risks; and the need to develop improved safeguards;
- For paper records, adoption of policy provisions for secure storage or materials containing personal information, including restrictions on physical access to such records and, for electronic records, control measures that restrict access and include secure user authentication protocols;
- Encryption of personal information that is stored on computers, laptops or other portable devices or is transmitted across public networks or transmitted wirelessly;
- Adoption of policy provisions to ensure that: Any electronic records system that is connected to the internet includes firewall protection and operating system security patches; security software includes malware protections and virus definitions; and all these programs are reasonably current and updated as needed;
- Oversight of third-party service providers who have access to personal information, including a process to select and retain service providers that are able to maintain appropriate security measures;
- Regular monitoring to detect any unauthorized use of or access to personal information, and to identify any areas where upgraded safeguards are needed;
- Updating protocols whenever there is a material change in business practices that may reasonably implicate the protection of personal information; and
- Documentation of responses to any breach of security is document, together with all actions taken thereafter to change practices relating to the protection of personal information.