Must homeowner supply personal information to the board?
Question: My homeowner association distributed a security form to homeowners, demanding personal information that I refused to provide. When I protested, the association’s attorney wrote me this:
“While the association briefly collected the entire digits of owners’ personal identification, the association no longer engages in this practice and has destroyed any such information collected in this way. The association is not collecting personal information with any criminal intent. It is collecting information from owners which it intends to use as a means of protecting and enhancing the owners’ security.
“Penal Code Section 530.5(b) is inapplicable because the association collects only an incomplete portion of the owners’ identification numbers, which is highly difficult, if not impossible, to use for fraudulent purposes. The association’s policy is intended to ascertain the true identity of the owners so as to insure that the owners, and not unauthorized third parties, have access to the association grounds.” Is the attorney correct? Do I have to give the association my personal information?
Answer: Your board failed to take proper steps in collecting titleholder information. It is irrelevant how “briefly” the association collected “entire digits of owners’ personal identification,” or that it no longer engages in that practice; they did it.
What’s relevant is: Who had access to such data and for how long; are they still employed by management or the association; were confidentiality statements signed; and what method and proof, if any, is there that “the association no longer engages in this practice and has destroyed any such information”?
It is also irrelevant that the association’s collection methods for gathering personal information were performed without any criminal intent. That has nothing to do with the level of scrutiny needed to protect each titleholder’s rights and interests.
The attorney’s assumption that partial numbers make them “highly difficult if not impossible to use for fraudulent purposes” is typical of the complacent thinking that can precede unauthorized use and identity theft. The board must answer questions pertaining to the safeguarding of personal information.
There are no duties within the Davis-Stirling Act requiring the board to enhance the owners’ security. The attorney’s representation amounts to an admission that the board has created a privacy policy, yet such policies cannot be created unilaterally; they have the same import as “rules,” meaning they must be documented and announced in the minutes, then distributed to the members, who have 30 days to object. Under the Davis-Stirling Act, failure to follow those procedures makes the new policy invalid and unenforceable.
Penal Code Sections 530.5(a) and (b) do apply because the association obtained the information willfully. Companies demanding personal information are required to distribute privacy policies detailing how they gather, maintain and dispose of such information and the purpose for which it was collected. Because your board intends to use the information as a means of protecting owners, it must also detail how that protection will occur and at what cost.
Your board’s failure to understand its role to safeguard titleholder information amounts to a lack of due care and diligence in its duties and hiring practices. Boards that function outside their statutory duties and then misinterpret the law to cover up their acts subject all titleholders to unnecessary risk. Whether the association has a privacy policy in place, disclosure of this type of personal information is not required and should be rejected as an invasion of your privacy.
--
Send questions to P.O. Box 11843, Marina del Rey, CA 90295, or e-mail noexit@mindspring.com.
