Governance policies and practices regarding personal information
Jean-Nicolas Lessard-Gravel (hereinafter the “AGENCY” or the “BROKER”) is governed by the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1) (“the Act”).
Personal information
Personal information is any information which relates to a natural person and allows that person, directly or indirectly, to be identified. A written document, an image, a video or a sound recording may contain personal information. In the course of its/his professional activities, the AGENCY or the BROKER may collect personal information such as the name, home address, date of birth, identification document information, social insurance number, income information, marital status, etc.
Consent
The AGENCY or the BROKER may collect, use and communicate personal information with the consent of the person concerned. To be valid, consent must be manifest, free, enlightened and given for specific purposes. The person who consents to provide his/her personal information is presumed to consent to its use and communication for the purposes for which it was collected.
Any person may at any time withdraw his/her consent to the collection, use and communication of his/her personal information by the AGENCY or the BROKER. In such cases, if the collection is necessary for the conclusion or performance of the contract by the AGENCY or the BROKER, the AGENCY or the BROKER may not be able to fulfil a request for service.
Responsibility
The AGENCY or the BROKER is responsible for protecting the personal information held in the course of its/his real estate brokerage activities. To this end, the AGENCY or the BROKER has adopted a privacy policy as well as governance policies and practices concerning personal information, the purpose of which is to control the collection, use, communication, retention and destruction of personal information.
Collection of personal information
The AGENCY or the BROKER collects only such personal information as is necessary to carry out its/his real estate brokerage activities. For example, this information may be collected for the purposes of carrying out a real estate transaction, record keeping, monitoring of professional practices by the Organisme d’autoréglementation du courtage immobilier du Québec (OACIQ), or any other purpose determined by the AGENCY or the BROKER and made known to the person whose consent is being sought.
The AGENCY or the BROKER encourages its/his staff members to explain in simple and clear terms to the person concerned the reasons for the collection of personal information, and to make sure these reasons are understood.
For the purpose of collecting personal information, the AGENCY or the BROKER encourages staff members to use the standardized forms developed by the OACIQ.
The AGENCY or the BROKER may also collect personal information verbally in the course of correspondence with persons involved in a transaction, or through various documents submitted for the completion of a real estate transaction (identification documents, financial documents, powers of attorney, etc.).
Use and communication of personal information
Personal information is used and communicated for the purposes for which it was collected and with the consent of the person concerned. In certain cases provided for under the Act, personal information may be used for other purposes, for example to detect and prevent fraud or to provide a service to the person concerned. Data will not be shared or sold to third parties for marketing or promotional purposes.
The AGENCY or the BROKER may be required to communicate personal information to third parties, including suppliers, co-contractors, sub-contractors, mandataries, insurers (such as the Fonds d’assurance responsabilité professionnelle du courtage immobilier du Québec [FARCIQ]), professionals, other regulators, or parties outside Québec.
The AGENCY or the BROKER may, without the consent of the person concerned, communicate personal information to a third party if such communication is necessary to carry out a mandate or to perform a contract for services or of enterprise. In such a case, the AGENCY or the BROKER draws up a written mandate or contract and specifies the measures which the mandatary must take to ensure that the personal information communicated is protected, so that it is used solely to carry out the mandate or perform the contract, and is destroyed after completion of same. The co-contractor must also undertake to cooperate with the AGENCY or the BROKER in the event of breach of confidentiality of the personal information.
Before communicating personal information outside Québec, the AGENCY or the BROKER must take into account the sensitivity of the information, the purpose for which it is to be used and the protection measures that will be in place outside Québec. The AGENCY or the BROKER will communicate personal information outside Québec only if an analysis shows that the information will be adequately protected in the place where it is to be communicated.
Retention and destruction of personal information
Once the purposes for which the personal information was collected or used have been fulfilled, the AGENCY or the BROKER must destroy the information, subject to a retention period stipulated under the Act. As stipulated in their professional obligations, the AGENCY or the BROKER must retain records for at least six (6) years following the final closing of a file.
Security measures
When collecting, using, retaining and destroying personal information, the AGENCY or the BROKER applies the necessary security measures to protect the confidentiality of the information. More specifically, the following measures apply:
Only authorized persons have access to personal information. An access management system is in place to monitor and control these authorizations.
Staff training: Staff are trained in good data security practices and privacy awareness.
Continuous monitoring: Systems are continuously monitored to detect any suspicious activity or intrusion.
Secure destruction: When it's time to destroy personal information, this is done securely and in accordance with current regulations.
Legal compliance: The AGENCY or BROKER complies with all applicable data protection and privacy laws and regulations.
Confidentiality incident
A confidentiality incident is any access, use or communication of personal information that is not authorized under the Act, or the loss of personal information or any other breach of protection of personal information.
The AGENCY or the BROKER has implemented a confidentiality incident management protocol that identifies the persons who assist the Person in charge of the protection of personal information and sets out the concrete actions to be taken in the event of an incident. This protocol specifies, among other things, the responsibilities expected at each stage of incident management, including the measures to be taken to ensure the security of the data.
Roles and responsibilities
1. The AGENCY or the BROKER
The AGENCY or the BROKER:
- Ensures the confidentiality of the information through good information management practices. In particular, it/he provides guidelines, training and instructions to staff members regarding the authorized collection, use, storage, modification, consultation, communication and destruction of personal information.
- Implements appropriate protection measures to reduce the risk of confidentiality incidents, such as computer security, updating of policies relating to personal information, staff training, etc.
- Has standardized methods for the filing of documents containing personal information.
- Has standardized methods for the retention of documents containing personal information, including digitization procedures.
- Manages physical and computer access to personal information, based among other things on its sensitivity.
- Ensures the secure destruction of personal information. More specifically, it/he provides guidelines or instructions to staff members concerning secure destruction methods, timeframes for destruction, etc.
2. Person in charge of the protection of personal information
In accordance with the Act, the AGENCY or the BROKER has appointed a Person in charge of the protection of personal information.
This person is responsible, among other things, for ensuring that the policies are enforced and that they comply with applicable regulations. The name and contact details of this person can be found in the section “Right of access, withdrawal and rectification.”
The Person in charge of the protection of personal information is responsible for managing confidentiality incidents and, in this context, takes action as provided for under the Act.
The Person in charge of the protection of personal information handles requests for access and rectification of personal information. This person also handles complaints concerning the handling of personal information by the AGENCY or the BROKER.
The Person in charge of the protection of personal information is consulted as the event of a privacy impact assessment for any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving the collection, use, disclosure, retention or destruction of personal information. This person may suggest measures to ensure the protection of personal information in the context of such a project.
3. Staff members
Staff members of the AGENCY or the BROKER may access personal information only to the extent necessary for the performance of their duties or mandates.
The staff member of the AGENCY OR BROKER:
- Ensures the integrity and confidentiality of all personal information held by the AGENCY or the BROKER.
- Complies with all policies and guidelines of the AGENCY or the BROKER regarding access, collection, use, communication and destruction of personal information as well as information security, and complies with all instructions received.
- Respects the security measures implemented on his workstation and on any equipment containing personal information.
- Uses only such equipment and software as are authorized by the AGENCY or the BROKER.
- Ensures, when appropriate, the secure destruction of personal information in accordance with the instructions received. Immediately reports to his superior any act of which he is aware that may constitute an actual or suspected breach of security rules relating to personal information.
Right of access, withdrawal and rectification
A person (or his/her authorized representative) may request access to his/her personal information held by the AGENCY or the BROKER. A person may withdraw consent to the collection, use and communication of personal information. Such withdrawal is recorded in writing.
A person may request the correction of personal information in a file concerning him/her that he/she believes to be inaccurate, incomplete or unclear.
The AGENCY or the BROKER may refuse a request for access or rectification in the cases provided for under the Act.
Complaints
A person who deems to have been wronged may file a complaint regarding the handling of his/her personal information by the AGENCY or the BROKER. The complaint will be processed promptly within a maximum of 30 days by the Person in charge of the protection of personal information and will receive a written response.
To request access to or rectification of your personal information or to file a complaint regarding the handling of personal information, please contact: