A property manager's guide to PIPEDA compliance

Property managers handle a surprising amount of personal information: names, unit numbers, phone numbers, emergency contacts, vehicle and parking details, FOB access logs, visitor records, and sometimes payment or insurance data. In Canada, how you collect, use, store, and dispose of that information is governed by privacy law, and PIPEDA, the federal Personal Information Protection and Electronic Documents Act, is the baseline many buildings fall under.

This is general guidance, not legal advice. Privacy obligations vary by province (Quebec, British Columbia, and Alberta have their own private-sector laws, and condo corporations sit in a sometimes grey area), so confirm your specific situation with a qualified advisor. What follows is a practical walk through the PIPEDA principles that matter most to building operations.

Collect only what you actually need

PIPEDA's limiting-collection principle is simple: collect personal information only for purposes a reasonable person would consider appropriate, and only what those purposes require. A building needs a resident's contact details and emergency contact. It probably does not need their employer, their full date of birth, or a photocopy of their passport just to issue a parking permit.

Before you add a field to an intake form, ask what it is for and whether you genuinely need it. Every extra piece of data you hold is something you then have to protect, justify, and eventually dispose of. Less collection is less risk.

Identify your purpose and get meaningful consent

You must identify why you are collecting information at or before the time you collect it, and obtain consent for those purposes. Consent has to be meaningful, which means residents should understand what they are agreeing to. Burying it in dense fine print does not meet the spirit of the law.

If you later want to use information for a new purpose, for example, sharing resident contact data with a third-party amenity vendor, that generally needs fresh consent. Keep a clear record of what people agreed to and when.

• State the purpose in plain language on intake forms
• Separate required information from optional extras
• Get fresh consent before using data for a new purpose
• Let residents withdraw consent, subject to legal and contractual limits

Limit retention and dispose of data properly

You should keep personal information only as long as it is needed for the purpose it was collected, or as required by law, and then securely dispose of it. Former residents' files, expired visitor logs, and old access records should not sit in a drawer or a shared folder forever.

Set retention periods for each type of record, document them, and follow them. "We keep everything just in case" is both a compliance gap and a liability, because data you no longer need is data that can still be breached. Secure disposal means shredding paper and properly deleting digital records, not dragging a file to the trash on a shared machine.

Safeguard the information you hold

PIPEDA requires safeguards appropriate to the sensitivity of the data. For a building, that means a mix of physical, technical, and administrative controls: locked storage for paper, access restricted to staff who genuinely need it, strong authentication, and clear rules about not emailing resident lists around or leaving them on a lobby clipboard.

Role-based access matters here. A concierge does not need the same view as a property manager, and a contractor needs none of it. Keeping personal data in a single system with proper permissions and an access log is far safer than spreadsheets scattered across personal devices and inboxes.

Handle access requests (DSARs) properly

Under PIPEDA, individuals generally have the right to ask what personal information you hold about them, how it is used, and to whom it has been disclosed, and to request access to it. When a resident makes such a request, you typically must respond within a defined timeframe (often 30 days) and usually at little or no cost.

Have a process so a request does not catch you flat-footed: who receives it, how you verify the requester's identity, how you locate the data across your records, and how you redact information about other people before disclosing. You may refuse or limit access in specific situations the law allows, but you should be able to explain the basis.

Be ready for a breach before one happens

PIPEDA requires organizations to report breaches of security safeguards that create a real risk of significant harm to the Office of the Privacy Commissioner of Canada and to affected individuals, and to keep records of breaches. "Significant harm" includes things like identity theft, fraud, humiliation, or damage to reputation, exactly the kind of fallout from a leaked resident list or stolen access logs.

Decide in advance who leads the response, how you contain the incident, how you assess the risk of harm, and how you notify people. A calm, documented response that contains the problem and tells affected residents promptly is both a legal expectation and the thing that preserves trust.

Make privacy part of the operating routine

Compliance is not a binder you write once. Appoint someone accountable for privacy, write down your purposes and retention rules, train staff on what they can and cannot do with resident data, and review the whole thing periodically. Keeping personal information in one secure, permissioned system rather than scattered files makes every one of these obligations easier to meet.

Done well, privacy practice is not a burden so much as good operational hygiene: collect less, protect what you keep, be straight with residents about why, and be ready to act if something goes wrong.