This document lays out technical information required in relation to the ‘Privacy Act Guidance for Landlords and Tenants’ issued in August 2019 by the Privacy Commissioner. It pertains only to areas that are relevant to our software and only contains extracts which may require answers about data storage and security. Please read the full document for your responsibilities as a ‘Property Manager’
- Principles 1 to 4
This section relates to how and what information you collect in relation to a tenant. Please be aware Palace has no responsibility in this area. We do not moderate or audit data that you or your employees enter into Palace.
- Principle 5
“An agency is required to have reasonable security safeguards to protect against the loss, disclosure and misuse of personal information (see principle 5).
For instance, it is a good practice to keep property information separate from tenant
information. That way, tenant information, which can include sensitive personal information like criminal record and credit checks, can be safeguarded separately and only accessed by those who need it see it.”
NOTE: Palace already adheres to this principle area by keeping all documentation and correspondence in separate ‘Diaries’ for the ‘Owner’, ‘Property’ and ‘Tenancy’ within the system.
This section explains both Policies and Practices to use when dealing with client data. The 2 sub-sections that relate to the Palace software are as follows….
“How can I physically secure personal information?”
Palace Server: If you are using a ‘Server’ version of Palace and host the data yourself, it’s important you secure your local area network with your IT support team / technician. Palace requires a username and passwords for all ‘Agents’ to access the system and it’s good practice to make sure each agent has their own login. It’s important to note that if Palace ‘Server’ is hosted on an ‘Insecure’ network it is still vulnerable to breaches (i.e. Palace is only as secure as the environment it’s hosted in). If you are concerned about this, please talk to us about moving to our Cloud based version.
Palace App (Apple / Android): If you are using our ‘Live’, ‘Liquid’ or ‘Server’ version with the Palace App on Android or iOS you need to be aware that certain data is saved directly on the device in order to look-up data and perform inspections offline (in areas where internet access in unavailable or the user does not wish to use mobile data). Although the App itself also contains a username and password in order to protect that local data, there is an option to store images outside the App in the Camera Roll. In this case those images are not protected by anything other than the standard ‘Mobile Device’ security. It’s also important to realise that if a user is already logged into the App, this authentication will ‘persist’ for the convenience of the user. For this reason, it's also important to make sure all devices with the Palace App installed have the devices default security implemented when the phone is locked (e.g. Pin, Fingerprint, Face recognition etc..).
External Exports / Files: Please be aware that all data exported outside of the Palace software in to separate individual files such as PDF’s or Word Documents are no longer protected by our environment and become your responsibility
“What does the Privacy Act say about cloud computing?”
Palace Live: If you are using ‘Palace Live’ your ‘Live’ data is stored in Auckland (NZ) for NZ clients and Sydney (Australia) for all Australian clients. The data centre is run by Plan-B (https://www.planb.co.nz) and is extremely secure behind our custom VPN with encrypted gateway access.
Liquid Palace: If you are using our new ‘Liquid Palace’ your system is hosted on ‘Microsoft Azure’ cloud services with built-in encrypted access / isolated protected data and site access via encrypted EV SSL Certificate. Data is also automatically backed up to alternate data centres within the Azure Environment (Primary data store in ‘Australia Southeast’ and mirrored in ‘Australia East’ data centres)