6. Using personal information

6.1 Exceptions: use without consent

6.2 Security measures when using information

6.2.1 Confidentiality incident

Personal information may be used only for the purposes for which it was collected.

Once the object of the file has been accomplished (for example, the real estate sale has been completed or the promise to purchase has been refused), the licensee must no longer use the personal information on file.

6.1 Exceptions: use without consent¹

The law provides for exceptions when the personal information may be used without the consent of the person concerned:

• The secondary use is consistent with the purpose for which the information was originally collected. There must have a direct and relevant connection with the original purposes. Commercial prospection is expressly excluded from compatible purposes.
• The use is clearly for the benefit of the person concerned.
• The use is necessary for study, research, or statistics purposes, but the information must be depersonalized to prevent direct identification of the individual concerned.

▲ Return to top

6.2 Security measures when using information

The licensee must take reasonable security measures to ensure the protection of personal information he holds. These measures shall take into account, among other things, the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.²

As part of the security measures, physical and computer (EDM system) access to information should be restricted to only those individuals who need access to the information to perform their duties.

When a brokerage contract is concluded between a seller and an agency represented by a broker, the broker has automatic access to the seller's personal information. In addition to the broker, the agency executive officer may also have access for compliance verification purposes, as well as support staff (ideally one person) to perform administrative tasks.

The other agency brokers who are not involved in the case must not have access to this personal information. However, if the seller is represented under a brokerage contract by a team of agency brokers, the team members will have access to personal information to be able to fulfill their representation obligations toward their client.

Licensees must ensure that the medium chosen to hold and use personal information is stable, secure and maintains confidentiality at all times.

For more information:

• Firms accredited by the OACIQ for electronic document management (EDM)
• Preservation of documents bearing one or more electronic signatures: Good practices
• What are the rules concerning electronic signatures?

² S. 10 of the Private Sector Act.

▲Return to top

6.2.1 Confidentiality incident³

In the wake of recent personal information breach scandals and in the context of the massive convergence toward telecommuting, the new Act has placed a clear emphasis on cybersecurity.

A confidentiality incident is defined as an event that may compromise the confidentiality of personal information when used by a company, namely:

• Unlawful access to personal information
• Unlawful use of personal information
• Unlawful communication of personal information
• Loss of personal information or any other breach of its protection.

A confidentiality incident may include events such as theft, fraud, loss (caused by a virus or computer flaw, leak, computer attack, error), deliberate action (extraction of information by an unauthorized employee or person), etc.

If an incident occurs that poses a serious risk of harm, the licensee must diligently report it to the persons concerned and to the Commission d’accès à l’information (CAI). He may, at his discretion, also notify any entity that may mitigate the risk by providing only the information necessary for this purpose without the consent of the person concerned (e.g., the police, his EDM provider, computer provider, etc.).

To assess the risk of harm to an individual whose personal information is involved in a confidentiality incident, it will be necessary to consider, among other things, the sensitivity of the information concerned, the perceived consequences of its use and the likelihood that it will be used for harmful purposes. In the case of unauthorized access to information whose disclosure increases the risk of identity theft (e.g., ID document information), the risk must be considered serious and reported.

Like all companies in Québec, agencies and brokers acting on their own account must take steps to reduce the risk of harm in the event of a confidentiality incident.

To minimize potential harm, it is strongly advisable to implement preventive cybersecurity measures (IT systems review, staff training, internal control policies) as well as incident management measures.

It is particularly recommended to establish a protocol for managing confidentiality incidents in which the members of a crisis unit will be identified. This unit will be responsible for managing incidents and determining the concrete actions to be taken if an incident occurs. It is also recommended to take out insurance covering cyber risks and to ensure that EDM service providers are committed to reporting confidential information security incidents.

In addition, agencies and brokers acting on their own account must maintain a confidentiality incident log.⁴

The obligation to manage and report confidentiality incidents must be taken seriously given the severe administrative penalties that could be imposed by the CAI for non-compliance with the new rules.⁵