Privacy Policy


The purpose of this policy is to set out how the Real Estate Council of Ontario (RECO) manages the personal information it collects, uses and discloses in its administration of the Real Estate and Business Brokers Act, 2002.


Pursuant to the Administrative Agreement (the Agreement) dated February 5, 2013 entered into between RECO and the Minister of Consumer Services, RECO received the delegated authority to administer the Real Estate and Business Brokers Act, 2002. Among other matters, the Agreement requires that RECO develop and implement a Privacy Code that follows the principles set out in the Model Access and Privacy Code, attached as Appendix F to the Agreement.

RECO is committed to respecting the privacy rights of individuals and the confidentiality and security of their personal information consistent with its role as the industry regulator. This Privacy Policy sets out the manner in which RECO applies the principles set out in the Model Access and Privacy Code. RECO's privacy policy is based on the ten principles in the Canadian Standards Association's Model Code for the Protection of Personal Information, an internationally recognized standard for the protection of personal information.


This policy applies to the personal information of registrants of RECO, members of the public who may contact RECO for information or to file a complaint and individuals who may serve as witnesses in a proceeding conducted by RECO. It does not apply to employees, volunteers, third party contractors or other individuals who are providing services for RECO. RECO's Employee Handbook describes how it manages the personal information related to its employees.


In this Policy, the following definitions apply:

Personal information (PI) means any information about an identifiable individual that is recorded in any form.

Record means information in a recorded format

REBBA means the Real Estate and Business Brokers Act, 2002.

RECO means the Real Estate Council of Ontario

Registrant means an individual applying for registration under the Real Estate and Business Brokers Act, 2002 (REBBA), individuals registered and former registrants


RECO collects, uses and discloses personal information for purposes that are reasonable and to the extent that is reasonable for meeting the purpose for which the information is collected.

RECO collects and/or uses personal information for the purposes of:

  • Registering and renewing the registration of real estate brokers, salespersons and brokerages in accordance with the requirements of REBBA
  • Expediting the insurance coverage of registrants
  • Processing complaints about the conduct of a registrant in relation to REBBA
  • Conducting investigations and pursuing regulatory action
  • As otherwise permitted or required by law.

RECO discloses personal information to:

  • The Sheriff to conduct background checks on registrants and officers of real estate companies
  • Insurance companies to facilitate the insurance coverage for registrants, and manage claims against a registrant
  • Law enforcement agencies and defence counsel to conduct investigations and hearings into the conduct of a registrant
  • As otherwise permitted or required by law.


Each Privacy Principle is shown in bold face, followed by RECO's personal information practices to support the principle.

Privacy Principle 1: Accountability

RECO is responsible for personal information in its custody or under its control and has designated a contact person who is accountable for the organization's compliance with the laws, policies, procedures and best practices.


RECO has identified the Legal Counsel as the RECO Privacy Officer, the individual responsible for RECO's compliance with the RECO Privacy Policy. The identity of this individual is made known upon request.


RECO enters into agreements/contracts to provide a comparable level of protection for the personal information when third parties require access to the PI maintained by RECO in order to provide services to RECO.


RECO has implemented policies and procedures to give effect to the principles in the RECO Privacy Policy. These include:

  • Implementing procedures to protect personal information and to oversee RECO's compliance with the RECO Privacy Policy
  • Establishing procedures to receive and respond to inquiries, complaints and requests for access to and/or correction of personal information
  • Training staff and communicating information to them about RECO's Privacy Policy and practices
  • Developing information to explain the RECO Privacy Policy and practices and making this information available to the public

Privacy Principle 2: Identifying Purposes

RECO has identified the purposes for which personal information is collected at or before the time the information is collected.


RECO identifies the purposes for which personal information is collected on Application and other forms at the time personal information is collected in order to comply with the Openness Principle and the Individual Access Principle.

  • Identifying the purposes for which personal information is collected at or before the time of collection allows RECO to determine the information it needs to collect to fulfill these purposes. This is related to the Limiting Collection Principle
  • Persons at RECO collecting the personal information are able to explain the purposes for which the information is being collected


If personal information that has been collected is to be used for a purpose not previously identified, RECO will obtain consent unless the new use is required or permitted by law, or to process a complaint, or for the conduct of an inspection or investigation.

Privacy Principle 3: Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of PI, except where consent would be inappropriate. The consent must relate to the information and must not be obtained through deception or coercion. This principle requires �knowledge and consent�.


RECO will only collect, use and disclose personal information with consent, except where otherwise permitted or required by law or to process a complaint or conduct an inspection or investigation.


RECO will state the purposes for which personal information is collected in such a manner that the individual can reasonably understand how information will be used and disclosed.


RECO will obtain express consent where possible. In determining the form of consent to use, RECO will take into account the sensitivity of the personal information and the reasonable expectations of our registrants and the public. Express consent is obtained on application and other forms used by RECO.


An Application for registration made by an individual constitutes express consent for RECO to collect, use and disclose the individual's personal information for the relevant purposes.


An individual may change or withdraw their consent by providing RECO with reasonable notice as long as such change or withdrawal would not change or frustrate a legal obligation between the individual and RECO. When RECO receives such a notice, RECO will inform the individual of the likely consequences, if any, of changing or withdrawing their consent. Such consequences may include RECO's inability to proceed with the service requested by the individual (e.g. registration).

Privacy Principle 4: Limiting Collection

RECO limits the collection of personal information to that which is necessary for the purposes identified.


RECO does not collect personal information if other information, such as aggregate or statistical information, would serve the purposes of the collection.


RECO does not collect more personal information than is reasonably necessary to serve the purpose of the collection.

Privacy Principle 5: Limiting Use, Disclosure and Retention

RECO does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual, as permitted or required by law or to process a complaint or to conduct an inspection or investigation. RECO retains personal information only as long as necessary for the fulfilment of these purposes.


RECO has developed guidelines and implemented procedures with respect to the retention of personal information. Personal information is retained for the period of time required to fulfill the purposes for which it was collected.


RECO destroys personal information after it is no longer required for the purposes for which it was collected in a manner that does not allow the information to be reconstructed.

Privacy Principle 6: Accuracy

RECO will keep personal information that it collects as accurate, complete and up-to-date as necessary to fulfill the purposes for which it is to be used.


Personal information maintained by RECO will be as accurate, complete and up-to-date as possible to minimize the possibility that inappropriate information is used to make a decision about an individual.


Individuals may request access to their personal information for the purpose of determining if it is accurate, complete and up-to-date.

Privacy Principle 7: Safeguards

RECO takes steps that are reasonable in the circumstances to protect the personal information it collects with security safeguards appropriate to the sensitivity of the information.


RECO uses administrative, physical and technical means to safeguard personal information.


RECO makes employees aware of the importance of maintaining the confidentiality of personal information.


RECO uses care in the disposal and destruction of personal information to prevent unauthorized parties from gaining access to the information.

Privacy Principle 8: Openness

Information about RECO policies and practices relating to the management of personal information is publicly available.


RECO maintains a copy of its Privacy Policy on the RECO Web site.


A copy of the RECO Privacy Policy will be mailed on request by contacting the RECO Privacy Officer.


RECO makes available to the public information on how to:

  • contact its Privacy Officer
  • obtain access to or request correction of a record of personal information that is in the custody or under the control of RECO
  • how to make a privacy complaint to RECO

Privacy Principle 9: Individual Access

Individuals may request access to their personal information and, subject to certain limited exceptions, be provided with access to the information. Individuals are able to challenge the accuracy and completeness of their personal information and have it amended if appropriate to do so.


On request, an individual will be informed whether or not RECO holds personal information about the individual and, if appropriate, the source of the information.


RECO will not provide access to personal information to the individual to whom it relates if the release:

  • Violates another individual's right to privacy, unless that individual consents to the release of the personal information
  • Violates a legally recognized privilege
  • Compromises security or commercial proprietary concerns
  • Deals with an inspection, investigation or complaint
  • Violates a provision of the REBBA or the Safety and Consumer Statutes Administration Act (SCSAA).


An individual may request access to their personal information held by RECO following the Access Request Procedure.


RECO will respond to access requests within 30 days where possible. There may be a charge for photocopying or other out-of-pocket costs such as postage, courier and record preparation costs.

Privacy Principle 10: Challenging Compliance

Individuals may contact RECO with any questions, complaints or suggestions with respect to RECO's Privacy Policy.


Individuals may make a complaint concerning RECO's compliance with the RECO Privacy Policy following the process set out in its Complaint Procedure.


RECO will investigate all complaints about its Privacy Policy and take appropriate measures on the results of the investigation.


Questions or comments on RECO's Privacy Policy can be addressed to:

Privacy Officer
3300 Bloor Street West
West Tower, Suite 1200
Toronto, ON M8X 2X2

This Privacy Policy should be read in conjunction with the associated RECO procedures that operationalize the Policy:

Individual Requests to Access and/or Correct Their Personal Information, or to File a Complaint Related to the Use of their Personal Information

Procedure for Individuals to Withdraw their Consent to RECO's Collection, Use and/or Disclosure of Their Personal Information




[Principles 9 and 10 of the RECO Privacy Policy]

The following procedure describes the process for individuals to request access to their personal information or to make a complaint about RECO's compliance with the RECO Privacy Code:

I.Informal Access Request

1. RECO encourages individuals to informally request information as a first step. RECO routinely provides an individual with their personal information where appropriate, subject to confirmation of their identity.

2. The following personal information is available from RECO on an informal basis:

  • RECO routinely provides information to registrants on the status of their registration
  • RECO routinely makes available on its Web site the name, business address and telephone number of active registrants
  • RECO routinely makes available on its Web site the decisions of discipline and appeals committees
  • RECO makes available on its Web site decisions of the Licence Appeal Tribunal and decisions of the Ontario Court of Justice for Provincial Offences Act prosecutions
  • On request, RECO will provide an individual with information concerning the existence, use and disclosure of his or her personal information.
  • If the personal information is not subject to the exceptions to access, RECO will provide the personal information in an appropriate form.

II. Formal Access Requests/Requests for Correction of Personal Information

1. When personal information cannot be obtained through the informal route described in Section I., individuals may submit a formal request for access to the:

Privacy Officer
3300 Bloor Street West
West Tower, Suite 1200
Toronto, ON M8X 2X2

2. The request must be in writing and must describe the information requested.

3. RECO may require the person requesting personal information to provide RECO with evidence of his or her identity so that RECO can ensure the person has the right to access the personal information. RECO will only use such information for the purposes of identification and authentication.

4. RECO will respond with a decision within 30 working days of receipt of the request where possible. Reasons will be provided when access is not provided to a record along with a description of how the individual may request a review of the decision.

5. RECO may refuse access to all or a part of a person's personal information under certain circumstances including, but not limited to:

  • The information is protected by legal privilege
  • The disclosure of the information would reveal confidential business information and it is not unreasonable to withhold the information
  • The information was collected for an investigation or legal proceeding or if released would affect the integrity of the investigation or hinder the investigation
  • The disclosure of the information could reasonably be expected to threaten the life or security of another individual
  • The information would reveal personal information of another individual

6. Where an individual disagrees with the accuracy of their personal information received from a request, the individual is entitled to request a correction. The request for correction must be in writing and addressed to the Privacy Officer. If the request for correction is refused by the Privacy Officer, the individual may require RECO to attach a Statement of Disagreement to the file that explains why and how the individual wants their personal information corrected. The statement of disagreement will be transmitted to any third parties having access to the personal information.

7. When a requester is not satisfied with the response to the formal request, the requester may ask the President/CEO to review the decision. The request for review must be in writing, addressed to the President/CEO and must describe what the requester wants reviewed. A final decision on the formal request will be provided to the requester within 30 working days of receipt of the review request.

8. RECO charges the following fees for processing a request made by an individual for access to their personal information:

  • For photocopies and computer printout, 20 cents a page
  • For records provided on CD-ROMs, $10 for each CD-ROM
  • For developing a computer program or other method of producing the personal information requested from a machine-readable record, $15 for each 15 minutes spent by any person.
  • The costs, including computer costs, RECO incurs in locating, retrieving, processing and copying the personal information requested if these costs are specified in an invoice that RECO has received.

Fees are payable prior to the provision of access to the personal information.


The following procedure describes the process by which individuals may withdraw their consent to RECO's collection, use or disclosure of personal information:

1. Individuals may withdraw consent at any time.

2. The implication may be that RECO will not be able to proceed with the service requested.

3. An individual must submit their request to withdraw their consent in writing to the:

Privacy Officer
3300 Bloor Street West
West Tower, Suite 1200
Toronto, ON M8X 2X2

4. The request must include the matters for which consent is withdrawn. A withdrawal of consent will be acknowledged in writing by the Privacy Officer and will contain information on the consequences, if any, of the withdrawal.