3. Role and responsibility of the agency executive officer

The modernization of the Private Sector Act provides that every person carrying on an enterprise is responsible for protecting the personal information held by that person.¹

The person with the highest authority within the company (the agency executive officer or the broker acting on his own account, as the case may be), is automatically responsible for protecting personal information within his company. However, he or she may delegate this duty to a third party. This person must have the required skills and decision-making powers related to his or her functions.

The title and contact information of the privacy officer must be published on the website of the agency (or of the broker acting on his own account) or, if there is no website, made available by other appropriate means.

It is the agency that legally "holds” the personal information. Thus, the broker acting on behalf of the agency must forward all the information collected in the course of a mandate to the agency without delay. Although the broker may keep a copy of the information during the performance of the mandate, he must immediately destroy his copy when the information is no longer required for the performance of his duties (for example, after the completion of the real estate transaction or the refusal of the promise to purchase, etc.).

Prior to destruction, the broker must ensure that all documents and information (including emails and text messages) have been forwarded to the agency or deposited in the agency's EDM record.

The agency must provide its brokers and employees with clear guidelines and policies that comply with privacy laws. As of September 2022, the agency must keep a confidentiality incident log and report to the Commission d'accès à l'information any confidentiality incident (involving personal information) that poses a serious risk of harm.