1 USING YOUR PRIVACY TOOLKIT FOR REALTORS Your PRIVACY TOOLKIT for REALTORS is based on the Adobe Acrobat Reader application which includes complete documentation in an accessible PDF-based help system. The help system includes information on all the Acrobat Reader tools, commands, and features for both Windows and Mac OS systems. The PDF format is designed to provide easy navigation and can also be printed out. For your convenience, we have outlined a few of the most commonly-used features: Using bookmarks The contents of your PRIVACY TOOLKIT are shown as bookmarks in the Bookmark pane (to the left of your screen). To view subtopics, click the plus sign (Windows users) or arrow symbol (Mac users) next to a topic. The topic will be expanded to show the subtopics it contains. Each bookmark is a hyperlink to the associated section of the document. To view the contents, click the bookmark. As you view the contents in the document pane, the bookmark associated with that content will be highlighted in the bookmark pane to help you easily identify where you are in the document. Using the navigation arrows Navigation arrows are provided at both the top and bottom of the Reader frame to help you move easily back and forth between pages. Top Navigation Bottom Navigation Clicking the left arrow will take you to last page you viewed. Clicking the right arrow will take you to the next page. You can also page through the document using the navigation options available under the Document menu. To find a topic using the find command: 1. Choose Edit > Find. 2. Enter a word or a phrase in the text box, and click OK. 3. Reader will search the document, starting from the current page, and display the first occurrence of the word or phrase you are searching for. 4. To find the next occurrence, choose Edit > Find Again. World Wide Web hyperlinks The PRIVACY TOOLKIT has been setup with easy access to web pages. Any BLUE-COLOURED type can be clicked upon and it will immediately link you to the associated web page. Printing the document Although PRIVACY TOOLKIT has been optimized for on-screen viewing, you can print out the document or portions of the document. To print, choose Print from the File menu, or click the printer icon in the Reader toolbar. Other help resources For more information about your version of Acrobat Reader, please visit:
2 PRIVACY TOOLKIT for REALTORS Your guide to CREA s Privacy Code CREA THE CANADIAN REAL ESTATE ASSOCIATION
3 TABLE OF CONTENTS I. INTRODUCTION Background The Personal Information Protection and Electronic Documents Act The Ten Principles of Privacy The Privacy Code of The Canadian Real Estate Association II. YOUR TOOLS WHAT YOU NEED AND WHY The Privacy Code Sample Office Policies For Realty Firms Sample Office Policies For Boards/Associations Making Privacy Work in Your Office (Implementation Guidelines) Privacy Brochure III. FREQUENTLY ASKED QUESTIONS IV. BROKERS/OWNERS/MANAGERS WHAT YOU NEED TO KNOW V. SALESPERSONS DO S AND DON T S VI. RESOURCES 1. REFERENCE MATERIALS The Personal Information Protection and Electronic Documents Act (2001) Your Privacy Rights: A Guide For Canadians (a publication of the Office of the Privacy Commissioner of Canada) Your Privacy Responsibilities: A Guide For Businesses and Organizations (a publication of the Office of the Privacy Commissioner of Canada) 2. USEFUL LINKS 3. CONTACT INFORMATION FOR PROVINCIAL/TERRITORIALPRIVACY COMMISSIONERS ALL OF THE MATERIALS IN THIS CD-ROM AND ANY PRIVACY UPDATES WILL BE POSTED ON REALTOR Link (http://www.realtorlink.ca). PLEASE CHECK THAT SITE ON A REGULAR BASIS TO FIND OUT WHAT S NEW IN PRIVACY.
4 PRIVACY TOOLKIT for REALTORS Introduction CREA THE CANADIAN REAL ESTATE ASSOCIATION
5 INTRODUCTION I have yet to meet one person, in public or private life, who has not professed great belief in the right to privacy. But I have witnessed some of those same persons engaged in activities utterly destructive of that right. Talking the talk is no substitute for walking the walk. -Bruce Phillips, Privacy Commissioner of Canada Annual Report Civilization is the progress of society toward privacy. The savage s whole existence is public, ruled by the laws of the tribe. Civilization is the process of setting man free from man. -Ayn Rand, author, Background Privacy is considered by many to be an ethereal concept an idea or philosophy that has an idealistic sound to it, but no practical application. This thinking is not only wrong, it is dangerously wrong in this day and age. Privacy touches every aspect of our day to day routine and should be a serious concern to all of us who are living in a world which is increasingly becoming an informational fishbowl. A groundswell of concern has been growing for decades. Too often, organizations have treated your information as their own. Too often, consumer data has found itself in places it didn t belong in the hands of persons who were not authorized by the consumer himself to hold it. Privacy has been treated as a luxury accorded only to a select few. Those days are now gone, and every businessperson, including every REALTOR, must adapt to the new reality. As of January 1, 2001, privacy was officially recognized not as a privilege, but as a fundamental human right of every citizen in Canada. 2. The Personal Information Protection and Electronic Documents Act (PIPEDA) On January 1, 2001, the new federal privacy legislation came into limited effect. The Personal Information Protection and Electronic Documents Act (PIPEDA) provides, in essence, that no personal information of consumers will be collected, used or disclosed by businesses without the informed consent of the individual. As of January 1, 2001, the Act applies only to federally regulated businesses and many others who send data across provincial and international borders. On January 1, 2004, it will apply to all commercial enterprises, unless provinces have enacted similar laws.
6 INTRODUCTION This legislation was a necessary reaction to a series of concerns the threat of the European Union Data Directive which would prohibit all transfer of data to non-eu countries that did not have adequate privacy protection; rising consumer concerns about privacy, and in particular, the serious erosion of public confidence in e-commerce. PIPEDA does not establish exact rules concerning privacy. Rather, it sets out principles intended to limit data collection and disclosure to purposes that a reasonable person would consider appropriate in the circumstances. 3. The Ten Principles of Privacy PIPEDA establishes ten privacy principles that must be incorporated into information collection practices. The principles fall generally into two categories the substantive principles those which give substance to the concept of consent (identifying purposes, consent, limiting collection, limiting disclosure) and the administrative principles those which deal with the day-to-day operations of organizations (accountability, accuracy, safeguards, openness, individual access and challenging compliance). These ten principles, when taken together, form the key business obligations and the key consumer rights of privacy. They create the structure of what has become known as fair information practices. PIPEDA is pro-active in nature, in that it requires all affected organizations to develop policies and procedures which give life to the ten principles. That means that every realty office and every board office must establish office policies which comply with PIPEDA. While organizations may agree with the concept of privacy protection, many have no idea how to put it into practice in their own offices. It is for this reason that CREA has developed the tools to enable our member offices to comply with the law and provide their clients with the assurances that their personal information is being protected. 4. CREA s Privacy Code Privacy is a vital issue to the people on the street. They don t ask that their information be protected. They demand it. And they demand that businesses which collect their information do so in a responsible and professional fashion. These people are starting to say more and more frequently to businesses what are your privacy policies? And we, as a responsible industry, are now able to say to these people here they are. The real estate industry demonstrated its commitment to privacy when the membership of CREA approved a Privacy Code as its national standard at the annual meeting held in Montreal in October of CREA s Privacy Code is the declaration of organized real estate to the public that we respect the privacy rights of individuals and have adopted policies and procedures to protect those rights.
7 INTRODUCTION What the Privacy Code does in its simplest sense, is set national guidelines. It establishes uniform standards which can be applied in a consistent manner across the country. It provides a practical document by which REALTORS and REALTOR organizations can gauge their conduct. The Privacy Code takes the requirements of PIPEDA and translates them into processes which makes sense in terms of the real-life information collection practices of our membership. The Privacy Code is now the national privacy standard of organized real estate, and all members have agreed to abide by those standards. Everyone is therefore encouraged to familiarize themselves with the provisions of the Code. ALL OF THE MATERIALS IN THIS CD-ROM AND ANY PRIVACY UPDATES WILL BE POSTED ON REALTOR Link (http://www.realtorlink.ca). PLEASE CHECK THAT SITE ON A REGULAR BASIS TO FIND OUT WHAT S NEW IN PRIVACY.
8 PRIVACY TOOLKIT for REALTORS Your tools... what you need and why CREA THE CANADIAN REAL ESTATE ASSOCIATION
9 YOUR TOOLS Education, of course, is fundamental to understanding and implementing a policy such as this. To that end, CREA has been presenting privacy seminars across the country, which have been attended by thousands of members. Educational initiatives will continue. However, the primary purpose of this particular CD-ROM is not education. The contents of this disc are intended to provide our members with the practical tools they need to implement privacy procedures in their offices and to abide by the new law and the Privacy Code. All of the work in developing these documents has been done for you. Your challenge now is to become familiar with them and incorporate them into your practice. The tools in this package include: The Privacy Code The Code is based, as it must be, on the ten principles set out in PIPEDA. Following each heading, there is a statement of the principle, expressing the position of organized real estate. Each statement is then followed by a series of examples, explanations, interpretations or suggested procedures. The Privacy Code, being the expression in general terms of the commitment of organized real estate to privacy, should be the starting point in your review. It will give you the overview of how privacy is applied to the practice of real estate. The ten principles are summarized on a separate sheet in the Code. You can download those principles and create frameable copies for your office wall. All REALTORS should be provided with copies of the Code. Office Policies This CD-ROM includes office policy templates for both realty firms and real estate boards. The purpose of the office policy is to give life to the principles of the Privacy Code by applying those concepts to the actual operation of the office. As the law requires that all offices develop policies which comply with PIPEDA, these documents are essential tools for all REALTOR organizations. There is no such thing as a one-size-fits-all office policy. A process that works well in a large office may not be appropriate for a small one. The wording of these template policies is, therefore, only suggested wording. The important thing is that the wording of any particular office policy reflect the principles of the Code. Both of these documents should be read together. Please remember that while the specific wording can be tailored to your operation, it is nevertheless absolutely essential that all office policies be amended to incorporate the privacy principles. It is strongly suggested that the owners/managers of realty firms sit down with the staff and salespersons and discuss what terms their privacy policies should reflect. Not only will this ensure workable policies, the very process of developing them will help educate those who are involved.
10 YOUR TOOLS Making Privacy Work in Your Office (Implementation Guidelines) Use this guideline to help develop your office policies. Think of it as your user s manual to the Privacy Code and the office policies. The guidelines discuss in simple language how the ten principles apply to your office operation, what is meant by the terms in the sample office policies and why you need to take certain precautions. This is your annotated guide to the development of policies. It will walk you through the process and explain what you are doing, why you are doing it, and what you hope to accomplish at the end of the road. This is an invaluable tool in the development process. Read it before you begin, and ensure all of the people in the office have a copy. Brochure Both PIPEDA and the Privacy Code require that offices make available to consumers their privacy policies. The most effective way of doing this is to give your clients brochures which summarize the principles of privacy you bring to the relationship. CREA has developed a brochure for this purpose, which can be found on this CD-ROM. Again, the wording is not mandatory, but has been developed to comply with the law. As with the office policies, you are free to revise the brochure to better reflect your own procedures. Space has been left on the brochure for the realty office to put its own name and the privacy contact within the office. The brochure can be downloaded so that copies may be left in the waiting room of the office and/or given to clients. Resource Materials We have included a number of useful reference materials and links. PIPEDA itself is on this disc, for those who are interested in a more in-depth review of the law. Two extremely informative guides issued by the Privacy Commissioner of Canada one for companies and the other for individuals- are also included. There are countless web sites devoted to privacy, both in Canada and the United States. A few are set out here. We ve also added the contact information for all of the provincial privacy commissioners. ALL OF THE MATERIALS IN THIS CD-ROM AND ANY PRIVACY UPDATES WILL BE POSTED ON REALTOR Link (http://www.realtorlink.ca). PLEASE CHECK THAT SITE ON A REGULAR BASIS TO FIND OUT WHAT S NEW IN PRIVACY.
11 PRIVACY TOOLKIT for REALTORS Privacy Code of The Canadian Real Estate Association CREA THE CANADIAN REAL ESTATE ASSOCIATION
12 THE CREA PRIVACY CODE I. INTRODUCTION In the usual course of real estate transactions, REALTORS and REALTOR organizations often require significant amounts of detailed information about identifiable individuals and companies. Most of this information is considered private under general community standards. The dissemination of information about an individual is not necessarily bad, indeed it is often vital in the conduct of business, but the indiscriminate dissemination of information, even if unintentional, may lead to the loss of privacy of an individual. Buyers and sellers therefore expect that the real estate organizations entrusted with this information will take positive steps to protect it. In recognition of this fact, the members of The Canadian Real Estate Association must adhere closely to strict rules governing the protection of this information. The Privacy Code, which applies to all member provincial/territorial associations, real estate boards, brokerage firms, brokers and salespersons, is made up of a set of principles which, if followed, sets in place a solid foundation within which the REALTOR community can protect its customers, clients, and the general public. The Privacy Code sets a minimum standard. To give life to the principles in this Code, detailed procedures concerning the collection, storage, and distribution of personal information are required to be developed by all REALTOR organizations. The Canadian Real Estate Association will review this Code at least every two years to ensure it is relevant and up-to-date.
13 THE CREA PRIVACY CODE II. SUMMARY OF PRINCIPLES PRINCIPLE 1 ACCOUNTABILITY Members are responsible for the proper management of all personal information under their control, and shall designate one or more persons to be accountable for compliance. PRINCIPLE 2 IDENTIFYING THE PURPOSES OF PERSONAL INFORMATION Members shall identify the purposes of collecting information before or at the time the information is collected. PRINCIPLE 3 OBTAINING CONSENT The knowledge and consent of the consumer are required for the collection, use or disclosure of personal information except where inappropriate. PRINCIPLE 6 ACCURACY OF PERSONAL INFORMATION Members shall keep personal information as accurate, complete, current and relevant as necessary for its identified purpose. PRINCIPLE 7 PROTECTING INFORMATION Members shall protect personal information with safeguards appropriate to the sensitivity of the information. PRINCIPLE 8 OPENNESS CONCERNING POLICIES AND PRACTICES Members shall make readily available to consumers specific information about their policies and practices relating to the management of personal information. PRINCIPLE 4 LIMITING COLLECTION OF PERSONAL IN- FORMATION Members shall limit the collection of personal information to that which is necessary for the purposes identified. PRINCIPLE 5 LIMITING USE, DISCLOSURE AND RETENTION OF PERSONAL INFORMATION Members shall use or disclose personal information only for the reason it was collected, except with the consent of the consumer or as required by law. PRINCIPLE 9 CONSUMER ACCESS TO PERSONAL INFORMATION Upon request, members shall inform a consumer of the existence, use and disclosure of his or her personal information and shall give the individual access to that information. PRINCIPLE 10 CHALLENGING COMPLIANCE A consumer shall be able to address a challenge concerning compliance with the above principles to the designated accountable person or persons in the member office.
14 THE CREA PRIVACY CODE III. DEFINITIONS Collection: Consent: Consumer: Disclosure: Member: The act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means. Voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing. Implied consent is consent that can reasonably be inferred from an individual s action or inaction. Any individual or company who consults with or retains in any way the services of a REALTOR, a brokerage or a real estate board or association. A consumer includes both customers and clients. Making personal information available outside the member organization. Includes Provincial/Territorial associations, real estate boards, real estate brokerage forms, brokers and salespersons as the context requires. Personal Information: Means information about an identifiable individual but does not include: 1.the name, title or business address or telephone number of an employee of an organization; 2. aggregated information that cannot be associated with a specific individual. Reasonable: Third Party: Use: The standard of conduct which would be expected by a reasonable consumer of real estate services in all of the circumstances. An individual or organization other than the member itself. The management of personal information by and within the member organization.
15 THE CREA PRIVACY CODE IV. THE CREA PRIVACY CODE IN DETAIL PRINCIPLE 1 ACCOUNTABILITY Members are responsible for the proper management of all personal information under their control, and shall designate one or more persons to be accountable for compliance. 1.1 The accountability for the protection of personal information rests with the individual REALTOR for information under his or her control. In the case of Boards/Associations, this refers to the Executive Officer. In the case of brokerages, it refers to the individual designated to be responsible for the brokerage under the provincial licensing legislation. 1.2 The accountable person may delegate the day-to-day procedures of compliance to one or more persons. 1.3 Because of the real cost to organizations of breaches of security and privacy, the designated individual should have an in-depth knowledge of the Privacy Code and should play a part in developing the procedures and ensuring staff conforms to the privacy policies. 1.4 The identity of the designated person will be made known upon request. 1.5 Members are responsible for personal information in their custody, including information transferred to third parties for processing. Each member should use contractual or other means to provide a comparable level of protection in those circumstances. 1.6 Every member shall implement policies and procedures to give effect to this Privacy Code including: establishing procedures to protect the privacy of personal information; training and communicating to staff about the organization s policies and procedures; establishing procedures to receive and respond to complaints; developing public information to explain the member s policies and practices
16 THE CREA PRIVACY CODE PRINCIPLE 2 IDENTIFYING THE PURPOSES OF PERSONAL INFORMATION Members shall identify the purposes of collecting information before or at the time the information is collected. 2.1 Personal information of sellers is used both by the listing brokerage for marketing purposes and the board for purposes relating to the operation of its MLS system. Both organizations must ensure they have obtained the necessary consents from the consumer. 2.2 Listing agreements must set out all of the potential uses the information will be put to by the board including distributing it to members through the MLS system, retaining the data indefinitely and publishing it for statistical analysis or otherwise, advertising in board publications, placing the information on the Internet and any other uses the board may make of the data. 2.3 Listing agreements must disclose all classes of potential recipients of information including any non-member individuals or organizations who are allowed some form of access to MLS information. 2.4 REALTORS must advise buyers and sellers the use that will be made by their brokerage of the information collected. This disclosure must be documented in the listing or buyer agency agreement or in some other document. 2.5 The collection of personal information shall be limited to that which is necessary for the purpose identified in 2.2 and 2.4.
17 THE CREA PRIVACY CODE PRINCIPLE 3 OBTAINING CONSENT The knowledge and consent of the consumer are required for the collection, use or disclosure of personal information except where inappropriate. 3.1 Each member will make all reasonable efforts to ensure consumers understand how personal information will be used and disclosed by the organization. 3.2 Consent can be expressed orally (when information is collected over the telephone), in writing or electronically. The signing by a consumer of a representation agreement containing the disclosures set out under Principle 2 shall be considered written consent for those identified purposes. 3.3 Generally, the member will seek consent to use and disclose personal information at the time it collects it. However, that consent may be sought after the information has been collected, but before it is used or disclosed for a new purpose. 3.4 Express consent should be obtained whenever practical. However, consent may be implied for the collection, use and disclosure of personal information in accordance with the known expectations of a particular individual or in terms of what a reasonable person in similar circumstances would likely believe necessary, or where express consent is not practical and where the information would not, in the circumstances, be considered sensitive. 3.5 Consent may be given by a consumer, where appropriate, through an authorized representative such as a person with a power of attorney. 3.6 An individual may withdraw consent at any time subject to legal or contractual restrictions and reasonable notice. The organization shall inform the consumer of the implications of such withdrawal. 3.7 Members shall not refuse to represent a consumer for the reason only that the consumer has refused to provide consent for the collection or use of certain information unless that information is required to properly represent the consumer. 3.8 Consent to the collection, use or disclosure of personal information is not required in those circumstances set out in section 7 of the Personal Information Protection and Electronic Documents Act. Members may develop policies specifically dealing with these circumstances.
18 THE CREA PRIVACY CODE PRINCIPLE 4 LIMITING COLLECTION OF PERSONAL INFORMATION Members shall limit the collection of personal information to that which is necessary for the purposes identified. 4.1 Members shall collect from buyers and sellers only the amount and type of information needed for the purposes identified to them. 4.2 Members may also collect personal information from other sources including credit bureaus, public bodies, government agencies and other third parties who represent that they have the right to disclose the information. 4.3 All personal information shall be collected by fair and lawful means. PRINCIPLE 5 LIMITING USE, DISCLOSURE AND RETENTION OF PERSONAL INFORMATION Members shall use or disclose personal information only for the reason it was collected, except with the consent of the consumer or as required by law. 5.1 Personal information will not be disclosed except as is necessary and reasonable to facilitate the real estate transaction unless the written consent of the individual for the extended disclosure is obtained or such disclosure is required by law. 5.2 Buyers and sellers must be informed that the member may be required, as a result of his/her agency obligations, to disclose personal information to other clients in the case of dual agency or where the individual providing the information is a customer and not a client. 5.3 Members shall keep personal information only as long as it remains necessary or relevant for the purposes identified or as required by law. 5.4 Members shall destroy any personal information no longer needed for its identified purposes or for legal requirements. 5.5 Information which has been aggregated so as to make it anonymous (eg. housing statistics) is not considered personal information.
19 THE CREA PRIVACY CODE PRINCIPLE 6 ACCURACY OF PERSONAL INFORMATION Members shall keep personal information as accurate, complete, current and relevant as necessary for its identified purpose. 6.1 All reasonable efforts must be made to protect the integrity of the personal information by ensuring that it is relevant and as accurate and complete as possible to minimize the possibility that inappropriate or inaccurate information may be used to make a decision about the consumer. 6.2 Personal information will only be updated if it is necessary for the purposes for which it was collected or if revisions are requested by the consumer. PRINCIPLE 7 PROTECTING INFORMATION Members shall protect personal information with safeguards appropriate to the sensitivity of the information. 7.1 Personal information is considered confidential and due diligence must be exercised to ensure it is not stolen, lost, accessed, copied, used or modified without permission. 7.2 Members shall ensure that all employees and other persons acting on their behalf who have access to such data are required to conform to privacy guidelines. 7.3 The steps taken by Boards/Associations and brokerages to protect personal information in its possession should include, where appropriate (a) physical measures, such as locked filing cabinets and restricted access to offices; (b) technological measures, such as the use of computer passwords and encryption; (c) organizational measures such as limiting access on a need-to-know basis and educating employees and salespersons on the privacy guidelines and procedures. 7.4 Members must establish and implement reasonable record retention and destruction policies consistent with the nature and need for the information and legislative requirements.
20 THE CREA PRIVACY CODE PRINCIPLE 8 OPENNESS CONCERNING POLICIES AND PRACTICES Members shall make readily available to consumers specific information about their policies and practices relating to the management of personal information. 8.1 Information regarding a member s policies and procedures must be easy to understand, readily available, and will allow consumers to determine: the title and office address of the person accountable for the member s compliance with the Privacy Code, and to whom inquiries or complaints can be forwarded; the means of gaining access to the personal information held by the member; what type of personal information is in the member s control and what it is used for. 8.2 The information described in 8.1 may be made available in a number of ways including brochures, mail information or on-line access. PRINCIPLE 9 CONSUMER ACCESS TO PERSONAL INFORMATION Upon request, members shall inform a consumer of the existence, use and disclosure of his or her personal information and shall give the individual access to that information. The consumer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 9.1 Members shall, on request, inform consumers whether they hold personal information on them. Real estate boards, provincial/territorial associations and brokerages shall develop policies and procedures to allow consumers access to their personal information. 9.2 Policies regarding access to information by the public should be based on openness and ease of use. A sample procedure is as follows: (a) One individual in the organization is designated as the person responsible for responding to access requests; (b) On written request and appropriate identification satisfactory to the organization, an individual will be advised of personal information about him/her retained in the organization s records; (c) Where information cannot be disclosed (for example the information contains reference to other individuals or is subject to solicitor-client privilege) the individual will be given reasons for non-disclosure; (d) An individual may correct erroneous or incomplete information and the organization will amend that information; The information will be supplied at minimal or no cost to the consumer.