Governance policies and practices regarding personal information
Century 21 Immo-Plus (hereinafter the “AGENCY”) is governed by the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1) (“the Act”).
Personal information
Personal information is any information which relates to a natural person and allows that person, directly or indirectly, to be identified. A written document, an image, a video or a sound recording may contain personal information. In the course of its/his professional activities, the AGENCY may collect personal information such as the name, home address, date of birth, identification document information, social insurance number, income information, marital status, etc.
Consent
The AGENCY may collect, use and communicate personal information with the consent of the person concerned. To be valid, consent must be manifest, free, enlightened and given for specific purposes. The person who consents to provide his/her personal information is presumed to consent to its use and communication for the purposes for which it was collected.
Any person may at any time withdraw his/her consent to the collection, use and communication of his/her personal information by the AGENCY. In such cases, if the collection is necessary for the conclusion or performance of the contract by the AGENCY, the AGENCY may not be able to fulfil a request for service.
Responsibility
The AGENCY is responsible for protecting the personal information held in the course of its/his real estate brokerage activities. To this end, the AGENCY has adopted a privacy policy as well as governance policies and practices concerning personal information, the purpose of which is to control the collection, use, communication, retention and destruction of personal information.
Collection of personal information
The AGENCY collects only such personal information as is necessary to carry out its/his real estate brokerage activities. For example, this information may be collected for the purposes of carrying out a real estate transaction, record keeping, monitoring of professional practices by the Organisme d’autoréglementation du courtage immobilier du Québec (OACIQ), or any other purpose determined by the AGENCY and made known to the person whose consent is being sought.
The AGENCY or the BROKER encourages its/his staff members to explain in simple and clear terms to the person concerned the reasons for the collection of personal information, and to make sure these reasons are understood.
For the purpose of collecting personal information, the AGENCY encourages staff members to use the standardized forms developed by the OACIQ. The AGENCY may also collect personal information verbally in the course of correspondence with persons involved in a transaction, or through various documents submitted for the completion of a real estate transaction (identification documents, financial documents, powers of attorney, etc.).
Use and communication of personal information
Personal information is used and communicated for the purposes for which it was collected and with the consent of the person concerned. In certain cases provided for under the Act, personal information may be used for other purposes, for example to detect and prevent fraud or to provide a service to the person concerned.
The AGENCY or the BROKER may be required to communicate personal information to third parties, including suppliers, co-contractors, sub-contractors, mandataries, insurers (such as the Fonds d’assurance responsabilité professionnelle du courtage immobilier du Québec [FARCIQ]), professionals, other regulators, or parties outside Québec.
The AGENCY may, without the consent of the person concerned, communicate personal information to a third party if such communication is necessary to carry out a mandate or to perform a contract for services or of enterprise. In such a case, the AGENCY draws up a written mandate or contract and specifies the measures which the mandatary must take to ensure that the personal information communicated is protected, so that it is used solely to carry out the mandate or perform the contract, and is destroyed after completion of same. The co-contractor must also undertake to cooperate with the AGENCY in the event of breach of confidentiality of the personal information.
Before communicating personal information outside Québec, the AGENCY or the BROKER must take into account the sensitivity of the information, the purpose for which it is to be used and the protection measures that will be in place outside Québec. The AGENCY will communicate personal information outside Québec only if an analysis shows that the information will be adequately protected in the place where it is to be communicated.
We respect your privacy and are committed to protecting your personal information. Your data will not be shared for marketing or promotional purposes.
Retention and destruction of personal information
Once the purposes for which the personal information was collected or used have been fulfilled, the AGENCY must destroy the information, subject to a retention period stipulated under the Act. As stipulated in their professional obligations, the AGENCY must retain records for at least six (6) years following the final closing of a file.
Security measures
When collecting, using, retaining and destroying personal information, the AGENCY or the BROKER applies the necessary security measures to protect the confidentiality of the information. More specifically, the following measures apply:
All information collected are kept if in digital format in password locked files only accessible to the broker involved or supervisor in a secure document management system with servers off site and are erased once the regulatory period to maintain record has expired. And for paper documents are kept under lock and key and shredded and disposed of once the mandatory period has expired.
Confidentiality incident
A confidentiality incident is any access, use or communication of personal information that is not authorized under the Act, or the loss of personal information or any other breach of protection of personal information.
The AGENCY or the BROKER has implemented a confidentiality incident management protocol that identifies the persons who assist the Person in charge of the protection of personal information and sets out the concrete actions to be taken in the event of an incident. This protocol specifies, among other things, the responsibilities expected at each stage of incident management, including the measures to be taken to ensure the security of the data.
Roles and responsibilities
1. The AGENCY
The AGENCY:
- Ensures the confidentiality of the information through good information management practices. In particular, it provides guidelines, training and instructions to staff members regarding the authorized collection, use, storage, modification, consultation, communication and destruction of personal information.
- Implements appropriate protection measures to reduce the risk of confidentiality incidents, such as computer security, updating of policies relating to personal information, staff training, etc.
- Has standardized methods for the filing of documents containing personal information.
- Has standardized methods for the retention of documents containing personal information, including digitization procedures.
- Manages physical and computer access to personal information, based among other things on its sensitivity.
- Ensures the secure destruction of personal information. More specifically, it/he provides guidelines or instructions to staff members concerning secure destruction methods,
timeframes for destruction, etc.
2. Person in charge of the protection of personal information
In accordance with the Act, the AGENCY or the BROKER has appointed a Person in charge of the protection of personal information.
This person is responsible, among other things, for ensuring that the policies are enforced and that they comply with applicable regulations. The name and contact details of this person can be found in the section “Right of access, withdrawal and rectification.”
The Person in charge of the protection of personal information is responsible for managing confidentiality incidents and, in this context, takes action as provided for under the Act.
The Person in charge of the protection of personal information handles requests for access and rectification of personal information. This person also handles complaints concerning the handling of personal information by the AGENCY or the BROKER.
The Person in charge of the protection of personal information is consulted as the event of a privacy impact assessment for any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving the collection, use, disclosure, retention or destruction of personal information. This person may suggest measures to ensure the protection of personal information in the context of such a project.
3. Staff members
Staff members of the AGENCY may access personal information only to the extent necessary for the performance of their duties or mandates.
The staff member of the AGENCY:
- Ensures the integrity and confidentiality of all personal information held by the AGENCY.
- Complies with all policies and guidelines of the AGENCY regarding access, collection, use, communication and destruction of personal information as well as information security, and complies with all instructions received.
- Respects the security measures implemented on his workstation and on any equipment containing personal information.
- Uses only such equipment and software as are authorized by the AGENCY.
- Ensures, when appropriate, the secure destruction of personal information in accordance with the instructions received. Immediately reports to his superior any act of which he is aware that may constitute an actual or suspected breach of security rules relating to personal information.
Right of access, withdrawal and rectification
A person (or his/her authorized representative) may request access to his/her personal information held by the AGENCY or the BROKER. A person may withdraw consent to the collection, use and communication of personal information. Such withdrawal is recorded in writing.
A person may request the correction of personal information in a file concerning him/her that he/she believes to be inaccurate, incomplete or unclear.
The AGENCY or the BROKER may refuse a request for access or rectification in the cases provided for under the Act.
Complaints
A person who deems to have been wronged may file a complaint regarding the handling of his/her personal information by the AGENCY. The complaint will be processed promptly within a maximum of two days by the Person in charge of the protection of personal information and will receive a written response.
- A response to the complaint will be sent to the person acknowledging receipt of the compliant.
- An investigation will be launched immediately, and all the proper steps will be taken to rectify the situation.
- If a breach is found it will be dealt with immediately and logged and reported to all parties concerned.
- All measures will be taken to stop such breach from happening in the future.
To request access to or rectification of your personal information or to file a complaint regarding the handling of personal information, please contact:
Moahamad Al Hajj (514)678-5959
mohamad.alhajj@century21.ca
Mohamad Al Hajj c/o Century 21
Immo-Plus 1980 Notre Dame O. Montreal Quebec H3J 1M8.