Published on: April 22, 2006
Many homeowner associations, if not most of them, have established Web sites for their communities; far too few of them have also created the privacy and use policies that are essential both to protect residents from the theft or misuse of their personal information, and to help associations reduce and manage those potential Internet risks.
Privacy policies describe the framework for protecting the personal information associations collect from residents and make available on the community’s Web site; use policies outline the limitations and terms governing access to the site and use of the functions available there. Both policies should be written clearly (in plain English) and posted conspicuously on the site; the goal is to make sure community residents, who represent the primary audience, understand the usage terms and privacy protections and are bound and reassured by them.
What Do You Need?
Start by reviewing the information you collect from community residents. You want to do more than simply catalogue the data; you also want to ask some critical questions about it:
- What “personally identifying” information (Social Security numbers, driver’s license numbers, phone numbers, bank account numbers, etc.) do you collect?
- How do you use that information?
- Is it essential? Could you achieve the same goals with less personal information, or with no personal information at all? You don’t want to collect data simply to “have it on file.” Collect only the information you use and be prepared to explain to residents precisely why you need it; they have a right to know.
Once you have identified the information you collect and why, review the procedures you have in place for protecting it. Among other key questions:
- Who has access to the information?
- What mechanisms have you established to prevent unauthorized access to the data?
- Do you share the information with third parties? If so, under what circumstances and subject to what restrictions?
- How do you ensure the accuracy of the information you collect? How do you update it?
- How do you handle the disposal of outdated data files?
As part of this privacy analysis, you will want to review your data security policies with you association’s attorney, if you have not already done so, to ensure that they meet all the requirements of applicable state and federal privacy laws and are consistent with the association’s governing documents, as well. Once you and your attorney are satisfied that your policies pass muster, you are ready to draft, or have your attorney draft, a privacy statement describing them.
Although the details of these statements will vary, depending on the substance and complexity of an association’s Web site, most should:
- Begin by emphasizing the association’s commitment to protecting the privacy of homeowners and ensuring the security of the data the association collects.
- Specify what data is collected and how it is used.
- Explain the steps taken to ensure the accuracy of the data and to prevent unauthorized access to it.
- Note how long data is retained, explain how it is updated, and outline the procedures for disposing of “dead” data files.
- Indicate the circumstances (if any) under which the association will share personal information with third parties, and note the right of residents to “opt out” of those data sharing relationships. The statement should specify that the association generally will not share a resident’s personal information without first obtaining permission to do so, but it should also note exceptions, where the information may be shared without permission: To comply with a court order, for example, or to investigate or prevent illegal activities in the community.
- Explain that while the association assumes responsibility for the personal information it collects, the association cannot guarantee the privacy policies of other sites operated by entities with which the association does business, including sites whose links are displayed on the association’s site.
If your association’s attorney does not draft the privacy statement, make sure he/she reviews and approves it. Post the statement in a conspicuous spot on the Web site – either on the home page, or on a page reached through a link on the home page. Also make sure the association’s employees, management company, and anyone involved in managing, updating, or operating the site understands the privacy procedures and obligations. Most important, make sure the association abides by the policies it establishes.
Access and Use
Although your Web site will function primarily as an internal communications tool aimed at community residents, it is also a looking glass through which others may peer to form an impression of what your community is like and, possibly, to decide whether it is a community in which they might want to live. This marketing function is useful and important, so you will want to make some information on the site available to the general public, but not all of it. You can segregate the public and owners’ sections easily by requiring a user name and pass code to reach protected areas. Someone — the association manager, a member of the board, or a designated volunteer — should be responsible for assigning pass codes to new arrivals and “retiring” the pass codes of residents who leave.
Your access and use policy should specify what information is to be available to the public and what information will be available only to community residents. General information about the community and its amenities, governing documents, newsletters, and rules and regulations can all be displayed without concern in the public area; financial records, names, addresses and phone numbers of residents, and probably even the minutes of board meetings should be restricted to residents only. (Prospective buyers will typically want to review budget information and board minutes, but it is better if that information comes directly from the seller rather than from the association, which, absent a state law to the contrary, does not necessarily have a business relationship with potential buyers.
Associations should include a disclaimer on the public portion of the site stating that they do not guarantee the accuracy of the information and advising visitors to rely on original documents only. This establishes a defense, of sorts, against prospective buyers who might seek damages from the association, claiming that they relied on Web information that turned out to be inaccurate or exaggerated.
Not for Members Either
While a Web site is a highly effective and convenient communications tool, there is some information associations should not make available on-line. This includes any potentially embarrassing or otherwise sensitive information, such as: the identities of delinquent owners, personnel information (salaries, disciplinary actions, etc.), vendor contracts, the minutes of board meetings held in executive session, and communications related to legal proceedings. Also, when considering what information to make available on the site, remember that if you post pictures of residents, you must obtain their permission.
- Are damaging, threatening, abusive, harassing, false, tortuous, defamatory, vulgar, obscene, libelous, harmful to minors, invasive of another’s privacy, hateful, racially, ethnically, or otherwise objectionable.
- Violate copyright or trademark protections
- Violate local, state, or federal laws or association rules and policies.
- Transmit viruses
- Stalk or harass others.
Usage policies should also specifically prohibit residents from collecting, storing, sharing, or otherwise exploiting the personal data of other residents. Additionally, the policy should contain a general disclaimer indicating that the association does not assume responsibility for monitoring postings and communications, but it does reserve the right to edit or remove material that violates the association’s usage and privacy policies, or that the board finds otherwise unacceptable. Associations should also note that violations of the Web access policies will be treated as violations of the association’s general rules and regulations, with consequences that may include, in addition to removing offending postings, the denial of access to that portion of the Web site (or all of it), the suspension of other association privileges, and fines.