|
|  |
|
|
Web Site Privacy and Use Policies Protect Community Associations and their Residents
Many homeowner associations, if not most of them, have established Web sites for their communities. Unfortunately, far too few associations have also created privacy and use policies. A privacy and use policy protects residents from the theft or misuse of their personal information and helps associations reduce and manage these potential Internet risks.
The Importance of a Privacy and Use Policy
Privacy policies describe how associations protect the personal information they collect from residents and how they make such information available on the community’s Web site. Use policies outline the limitations and terms governing access to the site and the use of the functions available there. Both policies should be written clearly (in plain English) and posted conspicuously on the site. The goal is to ensure community residents, who represent the primary audience, understand the usage terms and privacy protections and are bound and reassured by them.
Reassurance is especially important in the privacy arena, as reports of illegal hacking, identity theft, and security breaches are reported almost daily. Although most of these incidents have involved the sites of financial institutions, consumers have become increasingly skittish about on-line financial transactions of all kinds. This skittishness will affect residents’ view of association websites and his or her willingness to visit and transact business on them. The more on-line features your site offers and the more personal information you collect to facilitate those uses, the more comprehensive your association’s privacy policy should be.
What Do You Need?
Start by reviewing the information you collect from community residents. You want to do more than simply catalogue the data. Ask some critical questions about it, including: 1) what “personally identifying” information (Social Security numbers, driver’s license numbers, phone numbers, bank account numbers, etc.) do you collect; 2) How do you use that information; 3) is it essential; 4) could you achieve the same goals with less personal information, or with no personal information at all? Associations should not collect data simply to “have it on file.” Collect only the information you use and be prepared to explain to residents precisely why you need it as they have a right to know.
Once you have identified the information you collect and why, review the procedures you have in place for protecting it. Among other key questions:
-
Who has access to the information?
-
What mechanisms have you established to prevent unauthorized access to the data?
-
Do you share the information with third parties? If so, under what circumstances and subject to what restrictions?
-
How do you ensure the accuracy of the information you collect? How do you update it?
-
How do you handle the disposal of outdated data files?
As part of this privacy analysis, you will want to review your data security policies with your association’s attorney to ensure that they meet all the requirements of applicable state and federal privacy laws and are consistent with the association’s governing documents. Once you and your attorney are satisfied that your policies pass muster, you are ready to draft, or have your attorney draft, a privacy statement describing them.
Although the details of these statements will vary, depending on the substance and complexity of an association’s Web site, most should:
-
Begin by emphasizing the association’s commitment to protecting the privacy of homeowners and ensuring the security of the data the association collects.
-
Specify what data is collected and how it is used.
-
Explain the steps taken to ensure the accuracy of the data and to prevent unauthorized access to it.
-
Note how long data is retained, explain how it is updated, and outline the procedures for disposing of “dead” data files.
-
Indicate the circumstances (if any) under which the association will share personal information with third parties, and note the right of residents to “opt out” of those data sharing relationships. The statement should specify that the association generally will not share a resident’s personal information without first obtaining permission to do so, but it should also note exceptions, where the information may be shared without permission: to comply with a court order, for example, or to investigate or prevent illegal activities in the community.
-
Explain that while the association assumes responsibility for the personal information it collects, the association cannot guarantee the privacy policies of other sites operated by entities with which the association does business, including sites whose links are displayed on the association’s site.
-
Explain the special terms for collecting information from children. This language is necessary because federal law prohibits the unauthorized collection of information from children under the age of 13. The privacy statement should note that if parents want their children to have access to the association’s Web site, they must give the association permission to collect and store personal information about the children, consistent with the association’s privacy policy. The privacy statement should also note that children who have access the Web site will have access to all services and information available there, and should require parents to acknowledge their responsibility for determining the appropriateness of the material for their children.
If your association’s attorney does not draft the privacy statement, make sure he/she reviews and approves it. Post the statement in a conspicuous spot on the Web site – either on the home page, or on a page reached through a link on the home page. Also make sure the association’s employees, management company, and anyone involved in managing, updating, or operating the site understands the privacy procedures and obligations. Most important, make sure the association abides by the policies it establishes.
Access and Use by Those Outside Your Community
Although your Web site will function primarily as an internal communications tool aimed at community residents, it is also a looking glass through which others may peer to form an impression of what your community is like and, possibly, to decide whether it is a community in which they might want to live. This marketing function is useful and important, so you will want to make some information on the site available to the general public, but not all of it. You can segregate the public and owners’ sections easily by requiring a user name and pass code to reach protected areas. Someone — the association manager, a member of the board, or a designated volunteer — should be responsible for assigning pass codes to new arrivals and “retiring” the pass codes of residents who leave.
Your access and use policy should specify what information is available to the public and what information is available only to community residents. General information about the community and its amenities, governing documents, newsletters, and rules and regulations can all be displayed without concern in the public area. However, financial records, names, addresses and phone numbers of residents, and probably even the minutes of board meetings should be restricted to residents only. (Under Colorado law, sellers have the obligation to provide a buyer with certain association documents, including its financial information and board minutes. Password protecting these items on a website ensures security and, at the same time, provides the seller with a convenient way to access this information.)
Associations should include a disclaimer on the public portion of the site stating that they do not guarantee the accuracy of the information and advising visitors to rely on original documents only. This establishes a defense, of sorts, against prospective buyers who might seek damages from the association, claiming that they relied on Web information that turned out to be inaccurate or exaggerated.
Inappropriate Information for an Association website
While a website is a highly effective and convenient communications tool, there is some information associations should not make available on-line. This includes any potentially embarrassing or otherwise sensitive information, including: 1) the identities of delinquent owners, personnel information (salaries, disciplinary actions, etc.); 2) vendor contracts; 3) the minutes of board meetings held in executive session (Although we recommend not taking minutes in executive session, if an association does, it may not want to post them on the website) and 4) communications related to legal proceedings. Also, when considering what information to make available on the site, remember that if you post pictures of residents, you must obtain their permission.
Other Considerations
If the site contains interactive features, such as chat rooms, or a community e-mail network, the board should establish a usage policy governing access and participation. The purpose is to protect the association, which, as the owner of the Web site, is legally responsible for the information that appears there. With these liability considerations in mind, the use terms you establish should require residents to adhere to specified standards of conduct. Language we recommend prohibits on-line postings or e-mail communications that:
-
are damaging, threatening, abusive, harassing, false, tortuous, defamatory, vulgar, obscene, libelous, harmful to minors, invasive of another’s privacy, hateful, racially, ethnically, or otherwise objectionable;
-
violate copyright or trademark protections;
-
violate local, state, or federal laws or association rules and policies;
-
transmit viruses; and
-
stalk or harass others.
Usage policies should also specifically prohibit residents from collecting, storing, sharing, or otherwise exploiting the personal data of other residents. Additionally, the policy should contain a general disclaimer indicating that the association does not assume responsibility for monitoring postings and communications, but it does reserve the right to edit or remove material that violates the association’s usage and privacy policies, or that the board finds otherwise unacceptable. Associations should also communicate that violations of the website access policies will be treated as violations of the association’s general rules and regulations with consequences that may include, in addition to removing offending postings, the denial of access to that portion of the website (or all of it), the suspension of other association privileges, and fines.
[PRINTER FRIENDLY VERSION]
|
|
| |
|
|
|
Education Forums
|
|
Lunch Forums
For Managers
May 4
Is Restricting Renters The Answer?
12:00 - 1:30 PM
Arvada Office
5610 Ward Road
Suite 300
(1 mile north of I-70)
June 1
How Can We Make Declarations More Effective?
12:00 - 1:30 PM
Arvada Office
5610 Ward Road
Suite 300
(1 mile north of I-70)
Dinner Forums
For Board Members
May 20
Success Basics For Board Members
9:00 AM - 12:00 PM
Arvada Office
5610 Ward Road
Suite 300
(1 mile north of I-70)
May 22
Successful Covenant and Rule Enforcement
9:00 AM - 12:00 PM
Fort Collins Office
4703-A Boardwalk Drive
Click here to register
|
|
|
Loura Sanchez Featured Speaker
|
|
Lorman Education Services presents: Legal Aspects of Condominium Development and Homeowners' Associations In Colorado
May, 12, 2006
9:00 AM - 4:30 PM
Radisson Hotel Stapleton Plaza
For course description or to register click here.
|
|
|
Community Associations Institute
|
The Community Associations Institute (CAI) is a nonprofit organization that provides education and resources to community associations. To find out more about CAI visit www.caionline.org
|
|
|
Unsubscribe
|
|
HindmanSanchez respects the Web and the privacy of those who use it. To unsubscribe to Community E-ssentials, click
here.
|
|
|
