By Tia Politi, General Manager for Acorn Property Management
An acquaintance of mine who is a landlady thought she was properly protecting her tenant’s information, until her errant son who had moved back home and ended up back on drugs found her files containing her tenants’ rental applications. He took that information and stole their identities to take out credit cards under their names, charging up unbelievable amounts of debt to pay for his drug habit before he was caught. As you can imagine the fallout was extreme as she faced angry tenants, her son charged with criminal ID theft, and the expense of making her tenants whole.
As a rental business owner, you operate under many of the same laws and regulations as any business owner in regards to your customer’s privacy and security of their personal information.
A rental application is an ID thief’s dream: all personal data in one location, likely including name, birthdate, and social security number. So, what are you doing to protect your tenant’s privacy?
Privacy laws are based on Fair Information Practices, first developed in the United States in the 1970s by the Department for Health, Education and Welfare (HEW). The basic principles of data protection are:
- For all data collected there should be a stated purpose.
- Information collected by an individual cannot be disclosed to other organizations or individuals unless authorized by law or by consent of the individual.
- Records kept on an individual should be accurate and up to date.
- There should be mechanisms for individuals to review data about them, to ensure accuracy.
- Privacy of records shall be maintained by all appropriate means.
- Data should be deleted when it is no longer needed for the stated purpose.
- Transmission of personal information to locations where “equivalent” personal data protection cannot be assured is prohibited.
- Some data is too sensitive to be collected, unless there are extreme circumstances (e.g., sexual orientation, religion).
The Fair Debt Collection Practices Act similarly limits dissemination of information about a consumer’s financial transactions. It prevents creditors or their agents from disclosing the fact that an individual is in debt to a third party, although it allows creditors and their agents to attempt to obtain information about a debtor’s location. It limits the actions of those seeking payment of a debt. For example, debt collection agencies are prohibited from harassment or contacting individuals at work.
If you are pursuing a past tenant for monies owed, you must comply with this law while continuing to:
(1) Ensure the security and confidentiality of customer information;
(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and
(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
In an attempt to provide further safeguards of personal information, in 2012, the Obama administration, set forth its Consumer Privacy Bill of Rights that would be implemented through codes of conduct and serve to encourage legislative action in regards to the following areas of privacy. Specifically, it provides for:
- Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
- Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
You are holding private and sensitive information about your tenants. As such, you are required to protect that information from misuse and access by unauthorized persons. Your obligation extends well beyond the termination of tenancy.
- Keep all tenant information under lock and key, keep the key location confidential, and do not give out any information about a tenant, including a rental reference, without a signed release.
- Take care when providing rental references for past tenants; only answer the questions you are asked, do not volunteer information.
- Keep all tenant records for a minimum of six years.
- Destroy all documents with sensitive information in a lawfully approved manner.
This column offers general suggestions only and is no substitute for professional legal counsel. Please consult an attorney for advice related to your specific situation