Home / Blog / Compliance
The Chromium Journal·8 min read·Compliance·

The Legal Side of Security Reporting: What Condo Boards Need to Know

What boards are legally exposed to when security reporting is inadequate — PSISA, PIPEDA, documentation retention, and the liability gap most boards don't find until it is too late.

Chromium Guard officer at a formal building entrance — compliance and security Toronto

The Claim That Changed the Question

A resident in a Mississauga condominium was assaulted in the building's underground parking garage in 2023. The incident occurred at 11:40pm. The security company's overnight log for that night read: "P1 patrol completed, 11:35pm. Quiet night."

The patrol log did not record which areas were covered. It did not record what the officer observed. It did not contain a timestamp for when the officer returned to the front desk. When the insurance claim went to litigation, the security vendor could not produce evidence that the patrol had actually covered the parking level where the incident occurred. The patrol record existed. It was just useless.

The condo corporation was exposed. The question the board had been asking — is our security vendor licensed and insured? — was the wrong question. The right question was: if something goes wrong, are we protected by our documentation?

This post is about that question.

The Legal Framework: What You Are Actually Obligated To

PSISA — The Baseline

The Private Security and Investigative Services Act (Ontario) governs every security guard and security company operating in the province. Its requirements are the floor, not the standard.

Under PSISA, every officer must hold a valid licence issued by the Registrar of the Ministry of the Solicitor General. Every security agency must hold a valid agency licence. Officers must carry their licence at all times while on duty. Companies are prohibited from employing unlicensed individuals in licensed positions.

Before you sign any security contract, ask for the agency licence number and request copies of current officer licences for the individuals assigned to your building. This is not a hostile request. A reputable vendor produces these at the proposal stage, without being asked. At Chromium Guard, licensing documentation is provided before any contract is signed.

What PSISA does not cover: the quality of incident reporting, the format of documentation, retention schedules, or data privacy in visitor logs. Those obligations come from elsewhere.

The Ontario Condominium Act — Governance Records

Under the Ontario Condominium Act (1998) and its regulations, condo corporations are required to maintain specific records — including records related to the operation and management of the property. Security incident reports are operational records.

When a board needs to produce records in response to a unit owner request, a legal review, or an insurance audit, the quality and completeness of what exists in the file becomes the corporation's liability, not the security vendor's. The vendor filed the report. The corporation owns the record.

Vague incident logs, missing dates, unattributed entries, and absent follow-up documentation all create gaps that a plaintiff's counsel will find, and that an insurer will price.

PIPEDA — The Data Privacy Layer

The Personal Information Protection and Electronic Documents Act governs how personal information is collected, used, and retained. In the context of a residential building, this applies directly to visitor logs, contractor records, and CCTV footage.

A visitor log that captures names, unit numbers, entry times, and vehicle information is a PIPEDA-covered dataset. It must be collected only for a legitimate purpose, retained only as long as necessary for that purpose, and managed with appropriate security measures.

What this means practically:

  • Visitor logs should not be accessible to all building staff without authorisation.
  • Digital records must be stored securely, not in an open spreadsheet on a shared drive.
  • CCTV footage has a defined retention window — typically 30 to 90 days for a residential building, but some jurisdictions and some incident types extend this. If footage related to a legal claim is deleted on a standard 30-day cycle before it is flagged as relevant, the corporation has a problem.
  • Residents and visitors have the right to request information about what personal data you hold about them.

Your security vendor's documentation practices are, in effect, your building's PIPEDA practices. If you do not know how your vendor stores visitor data, you should ask.

The Four Documentation Gaps That Create Liability

1. The Incomplete Patrol Record

A patrol log that says "P1 completed, 02:15" is not a patrol record. A patrol record identifies the route covered, the areas observed, any anomalies noted, and the return time. Without specificity, the patrol log cannot be used to establish that a particular area was checked at a particular time — which is exactly what an insurer or a court will want to know.

2. The "Resolved" Entry with No Resolution Detail

"Noise complaint, unit 1104, resolved" tells you nothing. Resolved how? By whom? Was the unit occupant contacted? Was a formal warning issued? Was a property manager notified? When a complaint returns to the board as an escalated formal complaint, the board needs to know what happened the first time it was reported.

3. The Missing Incident Chain

When a security incident involves multiple parties — a visitor, a resident, a contractor, and a responding officer — the documentation should name each party and their role. Incident chains that reference "a male subject" without further description, or "the resident" without a unit number, create evidentiary problems that surface months or years after the fact.

4. The Absent Data-Retention Policy

How long does your vendor keep incident reports? How long does your building keep them? If the answer is "I'm not sure," that is a gap. Under most property insurance policies, incident documentation should be retained for a minimum of two years. Legal actions arising from incidents can surface well beyond that window. A thoughtful retention policy — and a vendor whose records are preserved beyond the minimum — is protection, not administrative overhead.

What "Board-Ready" Legal Documentation Actually Looks Like

A security report that serves the board's governance and legal obligations has six properties:

Complete. Every incident entry names the date, time, location, parties involved, officer who responded, actions taken, escalations made, and resolution status.

Timestamped. Not just the incident — the report. A record that was written three days after the fact is worth less than a contemporaneous one. Digital reporting systems that timestamp entries at creation are the standard.

Consistent. A security report that uses different terminology month to month, or that records similar incidents differently depending on who was on shift, cannot be relied upon for comparative analysis or legal review.

Retained. Records should be stored for a minimum of 24 months, with an escalation hold applied to any record related to an incident that has entered a formal complaint, insurance claim, or legal process.

Accessible. When the board needs a record at short notice — for an insurance audit, a unit owner request, or a legal review — the vendor should be able to produce it quickly, in a format the board can use.

PIPEDA-compliant. Visitor and contractor data should be managed with defined access controls, a stated retention policy, and a process for responding to subject access requests.

The Conversation to Have With Your Vendor Before the Next Renewal

Four questions that surface the documentation quality of any security vendor:

  1. Can I see a sample of a real monthly report from an active site, redacted? You are looking for narrative, severity weighting, and forward indicators — not just a table of incident counts.

  2. How are your patrol logs structured? You are looking for route specificity, timestamped entries, and anomaly notation.

  3. What is your data-retention schedule for incident records and visitor logs? The answer should be specific and defensible.

  4. How do you handle CCTV footage in the event of an incident that may lead to a legal claim? The answer should include a footage preservation protocol.

If the answers are vague, that is your answer.

Our Approach

Chromium Guard's documentation practices are built around the assumption that any record we create may one day be reviewed by a lawyer, an insurer, or a court. That is not pessimism — it is the standard required to serve a condo corporation in a governance environment where boards are accountable for what they knew, when they knew it, and what they did about it.

Every incident entry in our system is timestamped at creation. Patrol routes are logged with specificity. Visitor data is held in a PIPEDA-compliant system with defined access controls. Records are retained for a minimum of 24 months, with legal holds applied when a formal complaint or claim is opened.

If your board wants to understand what this looks like in practice before a renewal decision, we are glad to walk through our documentation standard and provide a redacted sample report.

Request a confidential property assessment at chromiumguard.com/request-assessment or reach us directly at (437) 734-2345.

Explore More From The Chromium Journal

Field-level insight on concierge security, board reporting, and resident experience across the GTA.

All Articles → Request Assessment →