Data privacy faces renewed scrutiny in condos

Vaccine policies in condos raise questions over technology’s role
Friday, October 29, 2021
By Rebecca Melnyk

Collecting proof of vaccination carries risks of exposing private health data. Maintaining residents’ privacy is nothing new in condos, but optional vaccine policies are bringing more relevance to the issue of confidentiality and how technology safely handles information.

Joe Masoodi, senior policy analyst at Ryerson University’s Leadership Lab, says condo corporations should approach the types of tools they are considering adopting with caution.

“Some tools can be very dodgy,” he says. “For instance, PortPass was an app that was launched presumably to make it more convenient for individuals to show their vaccination status. Unfortunately, the company didn’t have in place adequate security measures, exposing the personal data of hundreds of thousands of users, including blood type, email address, and photos of identification like drivers licence.”

Ari Soroka, vice-president of operations at Nadlan Harris, recently said during the CAI Canada V-CON(DO) conference that condos will likely need to rely heavily on technology, while considering privacy. “We are asking to collect private data on people’s health,” he noted. “How do we deal with it? How do we handle it?”

One idea is a special key fob for residents who’ve proven their vaccination status. The fob number would be the only data registered, trackable for management, but with no direct link to identify the individual. In this sense, data could be retained without perpetually checking one’s vaccine proof.

“That will depend on the logistics of a corporation,” added condo lawyer Josh Milgrom of Lash Condo Law. “Do they have a security guard, a fob system that could potentially be programmed once someone provides their vaccination status? All of that is important.”

Overall, Masoodi says it’s possible to see a national or province-wide proof-of-vaccine app being used by condo corporations for residents to access common areas. “This may be seen as involving less risk compared to adopting other less vetted tools or technologies,” he notes. “Regardless of what tools condo corporations plan to adopt, questions of enforcement are likely to be raised.”

Since the pandemic began, digital tools to manage the spread of COVID-19 have been a contentious issue in condo communities. Last year, the Cybersecure Policy Exchange at Ryerson University conducted a survey on contact tracing apps, “mobile device applications that track the proximity of other mobile devices and alert users if they have come close to someone infected with COVID-19.”

“Canadians were strongly opposed to making contact tracing apps mandatory by condominiums or landlords,” says Masoodi. Almost half of Canadians (45 per cent) disagreed in this regard, compared to 30 per cent who were in favour. More Canadians supported its presence within workplaces and public transit.

Whatever health data is retained in relation to mandatory vaccination, the consensus among some condo lawyers is to implement a privacy policy to guide how such data will be handled and preserved.

As it stands, Ontario’s COVID-19 vaccination certificate rules require people to prove they are fully vaccinated to access specific venues like gyms. Businesses have been requiring this proof through a paper document and the Verify Ontario app and QR codes.

Recent headlines have also revealed some frailties in these proof-of-vaccination protocols, suggesting that users, but also those requesting proof, be cautious.

“There’s a risk that QR codes can be illicitly obtained,” says Masoodi. “This was the case in Quebec when hackers were able to acquire the QR codes of political leaders including the premier. Downloadable paper receipts are also subject to fraud and altered through common software.

“Fraudulent proof-of-vaccination documents have been known to be sold on platforms like Telegram as well as on the dark web. QR codes can also be used to link to fraudulent URLs such as displaying fake information including fake vaccination status.”

Cyber aware

Residents and staff are also advised to safeguard their own personal vaccine data. “From a cybersecurity point of view, one of the issues with [QR codes] is the same as with all information that people store digitally — many users do nothing to protect it,” says Daniel Markuson, a digital privacy expert with NordVPN. “Most users store their vaccination proofing documents on their smartphones. And failing to ensure their safety helps hackers to find system loopholes more easily.”

NordVPN’s latest survey showed that a quarter of Canadians do not protect their smartphones by any of the possible lock methods. Almost half of them (42 per cent) use a PIN code to protect their device. But according to InfoSec experts’ study, 26 per cent of all phones can easily be cracked with simple digital passcodes, such as “1234”, “1111”, “123456”, “000000.”

As a small business, condo corporations are at risk of cyber-attacks and must be diligent about protecting residents’ personal information. According to an IBM report, an average cost of a data breach in Canada is $5.4 million.

Therefore, as Markuson says, collecting data should be as “breach-proof” as possible, and management should start by training employees, teaching them cybersecurity basics, and monitoring the use of computer equipment to audit employees’ digital literacy.

“According to NordPass research, the most popular password among real estate industry employees is “password”. So, they have a lot to learn,” he says. “Businesses should make sure they are collecting only as much data as needed. “The less information they keep about their residents, the safer it will be for the businesses.”



Leave a Reply

Your email address will not be published. Required fields are marked *