SMA 2013: Your condo management cannot divulge Covid-19 personal data to other strata residents

The presence of Covid-19 patients in strata communities is seen to increase drastically as the rate of infection increases in Malaysia. The pandemic has changed the way homeowners use and enjoy the common property of their subdivided buildings. While they are expected to contribute to the maintenance, management and upkeep of the strata development as a whole, their rights to use and enjoy the common property have come under significant control and regulation.

The promulgation of the movement control order (MCO) under the Prevention and Control of Infectious Diseases Act 1988 (PCIDA) and the Police Act 1967, has lead strata dwellers to increasingly ask themselves whether something is permissible in law, or not. One such subject is whether the Joint Management Body (JMB) or Management Corporation (MC) or Sub-MC (collectively referred to as ‘management bodies’) has the powers to disclose personal details such as the names or unit numbers of Covid-19 patients to other residents, whether expressly requested by them or disclosed by the management bodies on its own accord. For ease of discussion, reference here will be made to the management corporation alone.

The management corporation is a body corporate having perpetual succession and a common seal which may sue and be sued – as laid out in Section 17(4) of the Strata Titles Act 1985. The authority that the general body exercises, is exercised on behalf of all proprietors for their common benefit in relation to their common property. Its powers are limited to regulating control over maintenance and management of the subdivided building/ land and the common property in the strata development, pursuant to the Strata Management Act 2013 (SMA).

Communication and Crisis Management skills must be improved

While strata proprietors presently find themselves in the height of struggle deciphering misinformation and conflicting account of what is permissible and what is prohibited, a worrying trend emerges in the Malaysian property management scene where a frenzy of misquoting and erroneous citing of legislation in circulars, notices and newspaper articles are widespread. Although most of them are inadvertent mistakes made by laymen, some of such instances could have been avoided. Reference was made to the Personal Data Protection Act 2010 (PDPA) by some circles stating that according to the PDPA, management corporations cannot disclose the personal data of residents. The common ground is that the personal data of Covid-19 patients or that of their families cannot be disclosed to other residents, but making reference to PDPA is wrong.

The Court of Appeal in Amber Court Management Corp & Ors. (Suing in their capacity of Council Members) Vs Hong Gan Gui & Anor [2016] stated that the management corporation is neither a trading nor a non-trading corporation. It follows, therefore, the management corporation is not a commercial entity and its dealings with proprietors are not commercial in nature. In the absence of any case precedent, any suggestion that the PDPA applies to management corporations is perhaps stretching the legislative intent a little too far. The PDPA is intended to regulate the processing of personal data of data subjects, in commercial transactions with data users and it provides for matters connected therewith and incidental thereto.

The pandemic showed the need for management bodies and their appointed property management companies to improve their communication and crisis management skills. It includes alerting the relevant authorities when coronavirus cases were detected, displaying appropriate notices for residents and handling matters pertaining to home quarantine. Keeping the community informed of the latest SOPs are necessary. This is because no one really knows how long this pandemic will last or when the next transmissible disease will break out. It is of utmost importance that provisions of essential services such as utilities, security and cleaning service must not be disrupted.

Misguided proposals may lead to prejudice

Not understanding the prevailing laws will give rise to some misguided property management companies proposing to management committees to issue consent forms and templates to coerce residents to consent to the disclosure of their personal details. Purportedly, such disclosure would enable the majority of the residents to take extra precautions to stay safe from any potential infection. Even so, the minority’s right to peacefully recover in their own homes while under quarantine or the right to return to their homes after treatment without being subjected to unpleasant shunning and social stigma, must turn the scales against the will of the majority. Also, to leave such annihilatory decisions to the province of property managers or the management committees is frankly inappropriate. The material prejudice the minority could suffer has wide-raging negative social and legal consequences on communities. Social distancing need not lead to social division!

Although the powers to collect and deal with personal data is limited and restricted to the course of performing their duties and functions under the Strata Management Act 2013, there is more to this than meets the eye. Truth is, in carrying out the statutory duties it can and often do, the collection of personal data such as names of proprietors, their contact details, identity card numbers, copies of strata title, names of visitors, email addresses, proprietors’ vehicle numbers, details of parcel share units, emergency contact, the names and addresses of the SPA lawyers who acted for the proprietors and even thumbprints. That’s a substantial amount of personal data collection come to think of it.

Property management companies or the security guards of a condominium are all data intermediaries who collect and processes personal data on behalf of the management corporation. Also, these data intermediaries may abuse residents’ personal data. The SMA and the regulations therein do not clearly spell out the remedies available to proprietors in this regard. The dealing with residents’ personal data must conform to what is expressly provided for in the SMA or may be fairly regarded as incidental to those powers. For example, the management corporation has no business collecting marriage certificates or bank statements or school report cards!

It is trite law that a body created by a statute only has powers granted expressly or by implication in that statute. The obligations and powers of the management corporation are set out in Section 59 of the SMA wherein subsection (2) reads “The powers of management corporation shall be as follows: …”. Although it is not always imperative, it is correct to hold that the phrase is couched in mandatory conclusive terms. Therefore, to solve the conundrum of whether management corporations can disclose personal details to other residents, one needs to look no further than the Strata Management Act 2013.

Gap in the Strata Management Act 2013 in regard to Personal Data

There is no real attempt to develop and implement policies on the proper handling of personal data by management corporations. This was hardly even debated adequately when the SMA was enacted. When proposals for reform of SMA are put forth and it hoped that Bar Council, Malaysia will lead the discourse and pave the way to introduce the necessary safeguards against abuse of personal data. These are legal questions on the rights and liabilities of proprietors and the duties and powers of the management corporation, such discourse must involve adequate legal analysis.

Source: iProperty