Property management depends on having both fluid and timely access
to data – whether for payments and arrears, maintenance work, moves, and a
host of other events that take place in a building or for pertinent resident
information. At the same time, data privacy regulations and
expectations call for limits on access to personal data to
keep it protected.
Integrity and trust are at the core of BuildingLink. We are
dedicated to ensuring that the right data gets to the right people at the right
time, and we are taking every measure possible to ensure our clients’ personal
data and privacy is protected. With BuildingLink’s growing worldwide presence,
we’ve seen an increased emphasis – both market-driven and regulatory – on
ensuring client data protection and data access controls.
While everyone is entitled to an expectation that their personal
data is protected, property managers of buildings located in the EU and Canada
have an extra bar to clear regarding what they do with, and where they put,
their residents’ data. This update is aimed at advising all
clients, and especially EU and Canadian clients, how BuildingLink helps them
meet that bar.
'Layering on' BuildingLink Data Protections
We’ve built (and continue to improve) our platform with your
privacy in mind, by creating multiple “layers” of customizable options for
crafting data access, use, and privacy rules that work for your property. At
the lowest level, the platform provides controls for physical access to
the BuildingLink site and data. All users are limited to logging in
only to specific computers in specific physical locations via our “authorized
computers” module. At a more micro level, you can set up niche, customized data
access permissions for owners, managers, renters, and employees, according to
what they need to perform their functions. For example, elevator
operators could be given one level of access, while maintenance workers
could be given another, according to the situation requirements.
BuildingLink screen options enable contact functions without
revealing contact information. In this way, it is
possible to email a resident without divulging their email address, or call a resident without disclosing their phone
number or other personal information. For further data protection, you can
set up a system that flags data access and changes. It is possible
to track the disclosure and integrity of data by enabling notifications
upon access to, or modification of, data. (One possibility is setting up the
system to send out an email to residents when any of their personal data
is modified!)
Taking Your Software to Europe? Don't Forget Your "Privacy
Shield"!
Maintaining balance to the extent that satisfies international
data transfers across the Atlantic also requires an understanding of the law
and what being compliant entails. It’s important to be up-to-date on data
privacy
because some major changes have just come into
effect. The EU – U.S, Privacy Shield replaced Safe Harbor as the
standard for sanctioned transfers of personal data between the
European Union and the United States.
A Really Brief History Lesson: The Rise and Demise of
Safe Harbor
From 2000 to 2015, the Safe Harbor Agreement governed the legal
transfer of personal data from EU member countries to the United States.
However, concerns about U.S. government surveillance programs – and the way social media companies transferred
personal data across the Atlantic – brought
the program’s effect into question.
These concerns were at the center of a suit brought by an Austrian Facebook user,
Max Schrems, that was referred by
the Irish High Court to the European Court of Justice (ECJ) in June
2015 (case number: C-362/14). He argued that the United States does not
provide “adequate protection”, and that U.S.
surveillance programs like the NSA’s PRISM run counter to individual data
protection.
The court agreed with the plaintiff, and invalidated the Safe
Harbor Agreement.
Privacy Shield to the Rescue
In February 2016, the EU Commission announced
the new framework called EU-U.S. Privacy Shield, and
released the requirements for its certification. As of August 1,
2016, American companies could certify themselves as compliant.
Privacy
Shield is a new program that provides a framework for the transfer of data from
the European Union to the United States. (It replaces the recently invalidated
Safe Harbor Principles.) There are several guidelines that a company must
adhere to and include in their privacy policy in order to be certified under
this shield. The goal is to safeguard private user information, and prevent the
unauthorized dissemination of data. While certification under the EU–U.S.
Privacy Shield is voluntary, once a company does certify, those guidelines are
enforceable by law. This assures EU users that their personal information will
be safe and secure in any data transfer to a certified U.S. company.
What's the Same and What’s Different about “Privacy Shield”?
Though it’s a new program, the core of Privacy Shield is
the same as that of Safe Harbor. Both were established as a
self-certification program based on seven primary principles for legal data
transfers: (1) notice, (2) choice, (3) accountability for onward transfer, (4)
security, (5) data integrity & purpose limitation, (6) access, and (7)
recourse. However, in light of Safe Harbor’s shortcomings, there
are additional avenues for enforcement, including notice, opt-out options,
reviews, an independent ombudsman, and EU citizens’ enhanced redress options.
Accordingly, any business that aspires to certification must
publicize its data management policy on its site, and then conform to
it in its day-to-day practices. This doesn’t mean
that it is etched in stone forever! The company can make
changes, so long as it notifies the people whose data it collects in advance.
If it fails to provide that notice, the FTC can take it to task. Along with the
notice about its practices, the company has to provide a way for people to
opt-out if they are not comfortable with the way their data is to be
handled.
Additional enforcement comes through the new supervision mechanism
that stipulates compliance reviews by the U.S. Department of Commerce. The
consequences for not being found in compliance could extend from
sanctions by the FTC to removal from the list of Privacy Shield
approved businesses. Another external check on compliance comes in the
form of a new privacy ombudsman, who can hear complaints and queries from EU
citizens. This is an important component of the program. It promises that
Europeans will have different channels for communicating their concerns about
their data usages.
BuildingLink is proud to say that we fully live up to the Privacy
Shield principles, and are listed among the
certified Privacy Shield entities.
Heading North of the border? Say hello to PIPEDA!
Canada
has its own set of regulations governing data privacy requirements.
The Personal Information Protection and Electronic Documents Act (PIPEDA or
the PIPED Act) governs how private sector organizations collect, use, and
disclose personal information in the course of commercial business. In the
real estate property management space, this has implications for both property
managers and software products aimed at those managers. As one example,
BuildingLink has added a series of data-aging filters to restrict access to
resident activity data that is older than 30 days. The good news is, you
don't have to be Canadian to take advantage of our data-aging filters. –
They are an option for all BuildingLink clients!
The Data-Privacy BOTTOM LINE: What is Expected of You
Being compliant really boils down to this: be clear about what
personal data comes through your system – and how you are using it – so that
people
fully understand,
and cannot later say they didn’t realize that
their data was being collected. Keep up the
code of conduct you set! If you have to deviate due to some change in your
business operations, provide people with clear notice, so they may
choose to opt-out.
The
above – and additional options – are all available on BuildingLink’s
flexible platform, which allows the site manager to make sure that all data
access and data use is purpose-built. Our BuildingLink team is
happy to work with you to deliver a solution that is optimized to
achieve your preferred balance of convenience and security. Contact us at support@buildinglink.com to learn more.