Policies and practices governing the protection of personal information
Proprio Direct (hereinafter "THE AGENCY") is governed by the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1) (the Act).
Personal information is any information about an individual that can be used to identify that person directly or indirectly.
It is a piece of information that makes something known about someone, has a connection to a natural person and is likely to distinguish that person from someone else.
Personal information can be held on different media: a written note (paper document, email, text message), an audio medium (recording of a conversation, voice message), a visual medium (photo, video). In the course of its professional activities, the AGENCY may collect personal information such as the name, home address, date of birth, identification information, social insurance number, income information, marital status, etc.
The AGENCY collects, uses and communicates personal information with the consent of the person concerned. To be valid, this consent must be manifest, free, informed and given for specific purposes. An individual who consents to provide his or her personal information is presumed to consent to its use and disclosure for the purposes for which it was collected.
Individuals may withdraw consent to the collection, use and disclosure of their personal information by the AGENCY at any time. In this case, if the collection is necessary for the conclusion or performance of the contract by the AGENCY, the AGENCY may not be able to comply with a request for service.
Collection of Personal Information
The AGENCY only collects personal information that is necessary to carry out its activities in the field of real estate brokerage. For example, this may include information collected for the purposes of carrying out a real estate transaction, for the purposes of record keeping, the supervision of professional practice by the Organisme d'autoréglementation du courtage immobilier du Québec (OACIQ) or any other purpose determined by the AGENCY and brought to the attention of the individual whose consent is sought.
The AGENCY encourages its staff to explain in simple and clear terms to the individual the reasons for the collection of his or her personal information and to ensure that they are understood.
For the purposes of collecting personal information, the AGENCY encourages its staff members to use the standardized forms developed by the OACIQ.
The AGENCY may also collect personal information verbally during correspondence with individuals involved in a transaction or through various documents submitted as part of a real estate transaction (identity documents, financial documents, power of attorney, etc.).
Use and Disclosure of Personal Information
Personal information is used and disclosed for the purposes for which it was collected and with the consent of the individual concerned. In certain cases, provided for by law, personal information may be used for other purposes, for example, to detect and prevent fraud, to provide a service to the individual concerned.
The AGENCY may be required to disclose personal information to third parties, such as suppliers, contractors, subcontractors, mandataries, insurers (such as the Fonds d'assurance responsabilité professionnelle du courtage immobilier du Québec [FARCIQ], professionals, other regulators, or outside of Quebec).
The AGENCY may, without the consent of the individual concerned, communicate personal information to a third party if such communication is necessary for the performance of a mandate or a service or enterprise contract. In such a case, the AGENCY shall establish a written mandate or contract in which shall be indicated the measures that its mandatary must take to ensure the protection of the personal information entrusted to the AGENCY, so that said personal information is used only in the exercise of the mandate or contract and is destroyed after its termination. The contracting party must also undertake to cooperate with the AGENCY in the event of a breach of confidentiality of personal information.
Before disclosing personal information outside of Quebec, the AGENCY shall take into account its sensitivity, the purpose of its use and the safeguards it will benefit from outside Quebec. The AGENCY will only disclose personal information outside of Quebec if its analysis shows that it will benefit from adequate protection in the place where it is to be disclosed.
Retention and Destruction of Personal Information
Where the purposes for which the personal information was collected or used have been fulfilled, the AGENCY must destroy it, subject to a retention period provided for by law. In this regard, the AGENCY's professional obligations require it to retain its records for at least six (6) years following their permanent closure.
When collecting, using, retaining, and destroying personal information, the AGENCY applies the necessary security measures to protect the confidentiality of personal information. More specifically, the following are the applicable measures that the AGENCY has put in place to prevent or limit the consequences of a confidentiality incident:
- Taking inventory of personal information held in its possession and assessing its sensitivity.
- Management of physical and computer access to personal information held.
- Privacy awareness and training of its staff.
- Establishment of internal policies and directives to ensure the confidentiality and integrity of personal information.
- Implementation of a process for the secure destruction of personal information in accordance with the deadlines set out in the law.
- Provision of a response plan and internal directives in the event of a security incident.
A confidentiality incident is the access, use, disclosure of personal information not authorized by law, or the loss of personal information, or any other breach of the protection of personal information.
The AGENCY has put in place a confidentiality incident management protocol in which the individuals assisting the Privacy Officer are identified and which sets out concrete actions that must be taken in the event of an incident. This protocol includes the responsibilities expected at each stage of the incident’s management, including the measures to be taken to ensure data security.
Roles and Responsibilities
1. THE AGENCY
- Ensures the confidentiality of information through good information management practices. In particular, it provides direction, training and instruction to staff members regarding the collection, use, storage, modification, access, disclosure and permitted destruction of personal information.
- Deploys appropriate safeguards to reduce the risk of a privacy incident, for example, computer security, updating privacy policies, training of staff, etc.
- Has standardized methods for filing records containing personal information.
- Has standardized methods for retaining records containing personal information, including the scanning process.
- Manages physical and computer access to personal information based on its sensitivity.
- Securely destroys personal information. Specifically, it provides directives or instructions to personnel regarding the method of secure destruction, timelines for destruction, etc.
2. Privacy Officer
In accordance with the Act, the AGENCY has appointed the Privacy Officer (PO).
In particular, the AGENCY ensures that these policies are respected and that they comply with the applicable regulations. The name and contact information of this person can be found in the "Right of access, withdrawal and rectification" section.
The Privacy Officer is responsible for managing privacy incidents and, in this context, taking action under the Act.
The Privacy Officer handles requests for access to and correction of personal information, as well as manages complaints about the AGENCY's handling of personal information.
The Privacy Officer is consulted as part of a Privacy Impact Assessment for any project to acquire, develop and redesign an information system or electronic service delivery involving the collection, use, disclosure, retention or destruction of personal information. It may suggest measures to ensure the protection of personal information in the context of such a project.
3. Staff members
A member of the personnel of the AGENCY may access personal information only to the extent that it is essential for the performance of his or her duties or mandate.
The AGENCY staff members:
- Ensure the integrity and confidentiality of personal information held by the AGENCY.
- Comply with all AGENCY policies and directives on access, collection, use, disclosure, destruction of personal information and information security and comply with the instructions presented to it.
- Respect the security measures put in place on their workstation and on any equipment containing personal information.
- Use only equipment and software authorized by the AGENCY.
- Ensure, when appropriate, the secure destruction of personal information in accordance with the instructions received. Immediately report to their supervisor any act, of which they are aware, that may constitute an actual or suspected breach of the security rules relating to personal information.
Right of access, withdrawal and rectification
An individual (or their authorized representative) may request access to their personal information held by the AGENCY. An individual may withdraw consent to the collection, use and disclosure of his or her personal information at any time. This withdrawal shall then be recorded in writing.
An individual may request the correction of personal information in a file concerning him or her that he or she considers to be inaccurate, incomplete or ambiguous.
The AGENCY may refuse a request for access or correction in the cases provided for by the Act.
An individual who considers himself or herself aggrieved, may file a complaint about the AGENCY's handling of his or her personal information. The complaint must be submitted within 15 days after the day on which the individual becomes aware of an event giving rise to his or her complaint.
The complaint must be addressed in writing to the attention of the Agency's Access to Information and Privacy Officer (AIPO) at the following address:
Access to Information and Privacy Officer
3899, autoroute des Laurentides, suite 200
Laval, Quebec H7L 3H7
Or by email at firstname.lastname@example.org
A complaint must include the following information: the complainant's name, contact information and a brief statement of the reason(s) for the complaint.
An anonymous complaint is considered not received.
The AIIP acknowledges receipt of the complaint within 5 business days of receipt.
The AIPO investigates allegations of privacy breaches contained in the complaint, where appropriate. For the purposes of its investigation, the AIPO may request any information or document held by the Agency. The AIPO may appoint the necessary persons to conduct its investigation.
Within 30 days of receipt of the complaint, the AIPO shall communicate its findings to the person concerned.
If the person concerned fails to respond within the above-mentioned time limit, the AIPO is deemed to have rejected the complaint.