As of September 22, 2023, real estate agencies and self-employed brokers must publish detailed information about their personal information policies and practices on their websites. If they don’t have a website, they must make this information available by any other appropriate means, so that the public can easily refer to it.
You can tailor policies and practices to your company’s reality, so that they are proportionate to the nature and scale of its activities. However, they must contain at least the following mandatory elements:
- rules applicable to the retention and destruction of personal information;
- the roles and responsibilities of personnel with regard to the collection, use, communication, storage and destruction of data
- a process for handling privacy complaints.
Via Capitale Distinction (hereinafter “THE AGENCY” or the “BROKER”) is governed by the Act respecting the protection of personal information in the private sector (RLRQ, c. P-39.1) (the “Act”).
Personal information is information about a natural person that directly or indirectly allows that person to be identified. Writing, images, videos and sound recordings may contain personal information. In the course of its professional activities, the AGENCY or BROKER may collect personal information such as a person’s name, home address, date of birth, identification information, social insurance number, income information, marital status, etc. The AGENCY or BROKER is not responsible for any such personal information.
The AGENCY or BROKER collects, uses or communicates personal information with the consent of the person concerned. To be valid, consent must be manifest, free, informed and given for specific purposes. A person who consents to provide personal information is presumed to consent to its use and disclosure for the purposes for which it was collected.
Any person may withdraw his or her consent to the collection, use and disclosure of his or her personal information by the AGENCY or BROKER at any time. In this case, if the collection is necessary for the conclusion or performance of the contract by the AGENCY or BROKER, the AGENCY or BROKER may not be able to fulfill a service request.
Collection of personal information
The AGENCY or BROKER collects only the personal information required to carry out its real estate brokerage activities. For example, the information may be collected for the purposes of carrying out a real estate transaction, maintaining records, monitoring professional practice by the Organisme d’autoréglementation du courtage immobilier du Québec (OACIQ) or any other purpose determined by the AGENCY or BROKER and made known to the person whose consent is being sought.
The AGENCY or BROKER invites its staff members to explain in simple and clear terms to the person concerned the reasons for collecting his or her personal information and to ensure that they understand.
For the purposes of collecting personal information, the AGENCY or BROKER encourages its staff members to use the standardized forms developed by the OACIQ.
The AGENCY or BROKER may also collect personal information verbally during correspondence with persons involved in a transaction or through various documents submitted in connection with the completion of a real estate transaction (identification, financial documents, powers of attorney, etc.).
Use and disclosure of personal information
Personal information is used and disclosed for the purposes for which it was collected and with the consent of the person concerned. In certain cases provided for by law, personal information may be used for other purposes, for example, to detect and prevent fraud or to provide a service to the person concerned.
The AGENCY or BROKER may be required to disclose personal information to third parties, for example, suppliers, co-contractors, subcontractors, agents, insurers (such as the Fonds d’assurance responsabilité professionnelle du courtage immobilier du Québec[le FARCIQ]), professionals, other regulators, or outside Québec.
The AGENCY or BROKER may, without the consent of the person concerned, communicate personal information to a third party if such communication is necessary for the execution of a mandate or a contract for services or business. In this case, the AGENCY or BROKER will draw up a written mandate or contract in which it will indicate the measures that its agent must take to ensure the protection of the personal information entrusted to it, to ensure that it is used only for the purposes of the mandate or contract, and that it is destroyed once the mandate or contract has ended. The co-contractor must also undertake to cooperate with
AGENCY or BROKER in the event of a breach of confidentiality of personal information.
Before disclosing personal information outside Québec, the AGENCY or BROKER takes into account the sensitivity of the information, the purpose for which it will be used and the safeguards that will be in place outside Québec. The AGENCY or BROKER will communicate personal information outside Quebec only if its analysis shows that it will benefit from adequate protection in the place where it is to be communicated.
Retention and destruction of personal information
Once the purposes for which the personal information was collected or used have been fulfilled, the AGENCY or BROKER must destroy it, subject to the retention period stipulated in the Act. In this regard, the AGENCY’s or BROKER’s professional obligations require it to keep its files for at least six (6) years following their final closing.
When collecting, using, storing and destroying personal information, the AGENCY or BROKER applies the necessary security measures to protect the confidentiality of personal information. More specifically, the following measures apply:
- The Agency recommends collecting documents in digital format.
- When collecting personal information or when a document necessary to the work of the Agency or the Broker within the framework of the specific mandate given by the client is made on paper, the Agency or the Broker will be required to make digital copies of said documents.
- Paper documents belonging to the person concerned will be returned to him or her without delay, and the Agency or Broker will not keep any physical copy; only the digital copy will be retained.
- In the case of handwritten forms, a shredder is located near the Agency’s numerator so that the broker or Agency staff can destroy the physical documents without delay following their digitization.
- Digital copies are uploaded to the Electronic Document Management (EDM) system on the EzMax platform.
- Personal information may be consulted by a member of the Agency’s management staff, a member of the Agency’s administrative staff, the broker or brokers in the case of a real estate team concerned and the administrative staff of the broker or broker’s team of the Agency.
- No other Agency broker, unrelated to the person concerned, will have access to the information.
- DMS system personnel may have access to personal information (see EzMax policy).
- The DMS platform is responsible for the destruction of personal information after the 6-year period prescribed by the ICA.
A confidentiality incident is any access, use or disclosure of personal information that is not authorized by the Act, or the loss of personal information or any other breach of the protection of personal information.
The AGENCY or BROKER has established a protocol for managing a confidentiality incident, which identifies the persons who assist the Privacy Officer and sets out the concrete actions to be taken in the event of an incident. This protocol sets out the responsibilities expected at each stage of incident management, including the measures to be taken to ensure data security.
Roles and responsibilities
AGENCY or BROKER
- Ensures confidentiality of information through good information management practices. In particular, he/she provides directives, training and instructions to staff members regarding the collection, use, storage, modification, consultation, communication and permitted destruction of personal information.
- Deploys appropriate safeguards to reduce the risk of privacy incidents, e.g. computer security, updated personal information policies, staff training, etc.
- Has standardized methods for filing documents containing personal information.
- Has standardized methods for retaining documents containing personal information, including digitization procedures.
- Manages physical and computer access to personal information, based in particular on its sensitivity.
- Securely destroys personal information. More specifically, he/she gives directives or instructions to staff members regarding the secure destruction method, destruction deadlines, etc.
In accordance with the Act, the AGENCY or BROKER has appointed a Privacy Officer.
In particular, he/she ensures that these policies are respected and that they comply with applicable regulations. The name and contact details of this person are given in the “Right of access, withdrawal and rectification” section.
The Privacy Officer is responsible for managing incidents of confidentiality and, in this context, takes the actions provided for in the Act.
The Privacy Officer handles requests for access to and correction of personal information. He or she also handles complaints about the AGENCY’s or BROKER’s handling of personal information.
The Privacy Officer is consulted as part of a privacy impact assessment for any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving the collection, use, disclosure, retention or destruction of personal information. It may suggest measures to ensure the protection of personal information in the context of such a project.
A member of the AGENCY’s staff or the BROKER may view personal information only insofar as this is indispensable for the performance of his duties or mandate.
AGENCY staff member or BROKER :
- Ensures the integrity and confidentiality of personal information held by the AGENCY or BROKER.
- Complies with all policies and directives of the AGENCY or BROKER on access, collection, use, disclosure, destruction of personal information and on information security and respects the instructions presented to him/her.
- Respects the security measures in place at the workstation and on any equipment containing personal information.
- Use only the equipment and software authorized by the AGENCY or BROKER.
- Ensures the secure destruction of personal information in accordance with instructions. Immediately report to his/her superior any act of which he/she is aware that may constitute an actual or suspected breach of security rules relating to personal information.
Right of access, withdrawal and rectification
An individual (or his/her authorized representative) may request access to his/her personal information held by the AGENCY or BROKER. An individual may withdraw his or her consent to the collection, use and disclosure of his or her personal information at any time. This withdrawal will be recorded in writing.
An individual may request the correction of personal information in a file concerning him or her that he or she believes to be inaccurate, incomplete or equivocal.
The AGENCY or BROKER may refuse a request for access or rectification in the cases provided for by law.
An aggrieved person may file a complaint regarding the processing of his or her personal information by the AGENCY or BROKER. This complaint will be handled diligently within a maximum of 3 days by the Privacy Officer and a written response will be sent to you.
Complaint handling process
- The subject of the complaint will be studied by the person in charge of personal information.
- The complainant will be contacted within 3 days.
- The person in charge of personal information will investigate the subject of the complaint, in particular by contacting the individuals concerned by the complaint.
- The person responsible for personal information may have access to this information in order to manage the complaint.
- Where applicable, the incident will be recorded in the Agency’s Personal Information Incident Register.
- The Privacy Officer will communicate the results of the investigation in writing to the complainant and, where appropriate, will inform the complainant of the actions taken by the Privacy Officer to resolve the issue.