Privacy law – Looking after your clients’ most valuable asset
By Campbell Featherstone, senior associate at Dentons Kensington Swan.
Real estate agents are entrusted with advising on one of the biggest decisions that most individuals will ever have to make. The sale or purchase of a family home is one of, if not the most, significant financial decisions in most lifetimes. Making that decision requires a client to put the utmost trust in the agent advising them.
Real estate agents are also entrusted with one of their clients’ most valuable assets. Not the home itself: but their clients’ personal information. And the importance of that word – trust – can come home to bite agents who don’t treat the personal information with the care and respect that is deserving of the trust placed in them by their clients. If a client can’t trust you with their personal, private information, how can they trust you to sell their home?
All jurisdictions in which real estate agents operate have laws in place which are designed to protect the privacy of personal information. The best first step any agent can do to ensure that they do not end up taking a misstep with their clients’ personal information – and lose their clients’ trust – is to assess what laws actually apply, and ensure that they have appropriate procedures and processes for dealing with personal information that comply with their local law requirements and practice.
Most of these local law requirements follow some pretty obvious, common-sense principles. The privacy of a potential purchaser in Auckland is just as important as the privacy of a potential seller in Oakland.
Here are some high-level tips to get you thinking about what you need to do to ensure that your current, future (and past, but potentially repeat!) clients can continue to entrust you with their valuable information:
- Think carefully about what you collect. When you collect personal information, you need to think about the purpose for which you’re collecting it. Generally, you can only use or disclose personal information for that purpose – you can’t just hold on to it and then decide one day that it might be worthwhile making use of it for a brand new reason. Think carefully about the structure of any forms that you ask clients to fill out, and assess what you are going to do with the information – and on what grounds.
- Transparency is key. Most jurisdictions require you to tell someone when you are collecting personal information from them (in cases where it’s not obvious!), and to tell them the purposes for which you’re going to use the information, and to whom you might disclose it. Set this all out in writing in a clear privacy disclosure, and be as transparent as possible (in as plain language as possible) about your intentions. In some cases, you may even need to obtain your clients’ consent to use or disclose their personal information – make sure you do so openly and without ‘burying’ anything in the fine print.
- Security is paramount. Make sure the systems you have in place to protect your files are robust, and up-to-date. If you’re storing information locally (like on a hard drive), make sure your anti-virus software is kept current and that patches are installed swiftly. If you’re storing information on the cloud, make sure you are using a reputable provider and that your access credentials are kept secure.
- Mitigate the risk of human error. There’s nothing more difficult than having to own up to a mistake of your own doing. We’ve all sent emails to the wrong person. Mitigate the risk of that mistake snowballing into a catastrophe – where practical, make sure any attachments that contain personal information are password-protected (and passwords sent separately) so that even if they are sent to the wrong recipient, the recipient can’t make use of them. And take extra care when relying on physical copies of personal information, especially when out of the office: don’t leave your briefcase on the doorstep or out of your sight. Treat personal information like you would expensive jewellery: but know that while your insurance might replace a diamond necklace or a gold watch, it won’t cover the loss to your reputation and business if your clients’ trust in you disappears.
- Have a plan for fessing up. Mistakes do happen. Owning up can be hard, but it is the first step in regaining the trust that will have been eroded when a client’s personal information is misused or subject to unauthorised access. Owning up is less hard when you have a strategy in place for dealing with a privacy breach before a breach occurs (rather than making one up on the fly): you’re much more likely to be able to address your clients with the confidence they’ll need to observe from you in order to rebuild the damage to your client relationship.
This guest blog post was written by Campbell Featherstone, a senior associate in the Wellington office of Dentons Kensington Swan. Campbell is an experienced technology and commercial lawyer with, among other things, a keen interest in international privacy law, practice, and trends.