Management has no right to private data
Question: I sat on my association board for more than eight years. Unbeknownst to anyone, including other board members, the president signed a contract to hire a management vendor. Simultaneously, he handed the vendor all our checking and banking documentation, making management the sole signatory.
I was told to give copies of my Social Security card, driver’s license and vehicle registration documents to the vendor. Management insists that residents prove their cars are registered to their condo addresses or they won’t give us parking stickers to get in the gate or park inside. I refused.
The board then showed me a copy of a bank’s letter to the management company. The bank instructed management to obtain copies of personal documentation from board members and forward it to the bank. When I asked the management what happens to information, I was told it was none of my business.
Management and its personnel are not bonded, and the bank’s letter says nothing about safeguards protecting the confidentiality of information. I brought this to the board’s attention, and the president said, “Don’t be silly. There are privacy laws that protect you. Hand it over or resign.” I refused and was kicked off the board for “not cooperating.”
What must I comply with, and was the president right about laws protecting me? What about all my personal information the management company has?
Answer: California’s criminal and civil laws are not enough to protect deed-restricted titleholders in the circumstances you describe. An association’s bylaws likely contain conditions for board member removal, and taking steps to protect one’s personal privacy is not a valid reason for removal.
No laws prohibit vendors, including attorneys, from disclosing any information they receive about homeowners during the course of their employment.
A bank’s letter to the management company is not a letter from the bank to you. Banks have a statutory duty to keep their client information confidential and secure from threat of identity theft. Vendors have no such duty. Here, the banking client is the management vendor, not you, not your association. The banking relationship does not extend to a board member, titleholder or association.
Without adequate legal assurances, paying an unbonded third party to conduct banking is incompetent. The association should immediately resume its own banking relationship and sign its own checks.
Your board’s naively trusting nature could constitute a breach of fiduciary duty. To protect privacy rights, boards need to insert confidentiality and nondisclosure clauses in all vendor contracts and prohibit management employees from attending board meetings.
The information requested by your association should never be entrusted to an unbonded vendor. Release such information only when required by law to do so and always accompany released personal information with a statement that it not be shared with third parties for any reason.
Civil Code sections 1798.81 to 1799 impose obligations on businesses to destroy customer records containing personal information they no longer retain. That means the customer’s information must be rendered undecipherable. Any customer injured by a violation of this code can institute a civil action to recover damages; however, the association, not the homeowner, is the legal victim.
There is no legal requirement that owners provide copies of their vehicle registration to management, and there is no law stating that you must prove to a board that your car is registered to your condo address. California Vehicle Code section 4453 states that the registration card must include, among other things, the residence or business address of the owner.
A board cannot prohibit a resident from driving a vehicle not registered to him or his property address inside a common-interest development.
Vigorously guard your privacy. If pressured to disclose personal information to a homeowner association for any reason, demand written assurances of nondisclosure, a detailed statement of why it is required, how it will be used, the requesting party’s name, the purpose for requesting it and the signature of the responsible party.
Send questions to P.O. Box 451278, Los Angeles, CA 90045 or NoExit@mindspring.com.
