Par Nicolae Racovita

Give your accountant registry access without email attachments

CPA, insurer, lawyer, contractor: how to give them scoped, logged, read-only access to your syndicate's records instead of emailing documents around.

Cover Image for Give your accountant registry access without email attachments

Quick answer: instead of emailing documents, a Quebec syndicate of co-owners can grant its external practitioners - accountant (CPA), insurer, lawyer, contractor - read-only access limited to their mandate, framed by a signed confidentiality agreement and an access log. It is a prudent practice under Law 25 that keeps control of personal information in the syndicate's hands.

Why not just email the documents?

Because a syndicate's register holds more than meeting minutes. Co-owners' names and contact details, statements of account, loss files, leases: all personal information for which the syndicate - a legal person subject to Quebec's Act respecting the protection of personal information in the private sector - is responsible.

An email attachment permanently escapes the syndicate's control. It can be forwarded, copied, kept on a personal computer, and nobody will ever know who consulted it. When a confidentiality incident presents a risk of serious injury, the law requires notifying the Commission d'accès à l'information and the persons concerned (s. 3.5 of the Act) - hard to do when you do not know where the copies went.

Read-only access, scoped to the mandate, revocable and logged, flips the logic: the document never leaves the register, and the syndicate knows who saw what, and when.

Which practitioners need access to the syndicate's records?

Six profiles come up in almost every syndicate:

PractitionerTypical mandateWhat they need to see
Accountant or auditor (CPA)Bookkeeping, financial statements, review or audit engagementFinances, budget, register
Building professional (OIQ, OAQ, OTPQ, OEAQ)Maintenance logbook, contingency fund studyRegister, contingency fund, work
Lawyer or notaryLitigation files, interpreting the declarationRegister, litigation, losses
Insurer or brokerRenewal, claimsRegister, losses
Contractor (RBQ licence)The work assigned to themRead-only register, their work orders
Privacy officer (person in charge of personal information)Personal-information governanceRead-only register

The guiding principle is necessity: each sees what their mandate requires, nothing more. The insurer does not need co-owners' statements of account; the contractor does not need board minutes.

Must your syndicate designate a person in charge of personal information?

Yes. Every enterprise within the meaning of the Act - and a syndicate of co-owners is one - must designate a person in charge of the protection of personal information (s. 3.1 of the Act). By default the function falls to the person with the highest authority - in practice, the board president - but it can be delegated in writing, including to someone outside the syndicate.

That is exactly why the privacy-officer profile exists as an access role: the designated person can consult the register to do their job, without holding the keys to administration.

What should the confidentiality agreement cover?

Before opening access, have a written agreement signed that sets out:

  • The purpose: the mandate for which access is granted.
  • Confidentiality: the commitment not to communicate the information to third parties.
  • End of mandate: access ends with the mandate, and the practitioner keeps no copies beyond what their profession requires.

An electronically signed agreement carries the same weight as a paper one when the document's integrity is assured - that is the framework of Quebec's Act to establish a legal framework for information technology. Keep every signed version: if the agreement's text evolves, earlier versions remain the proof of what each practitioner accepted.

Granting access without losing control

Three guardrails separate "sharing" from "losing control":

  1. Read-only, scoped to the mandate. The practitioner consults; they change nothing and never see sections outside their mandate.
  2. The access log. Every consultation is traced: who, what, when. If a question - or an incident - arises, the syndicate has a documented answer.
  3. Immediate revocation. The mandate ends, the access closes. No orphaned attachments survive in inboxes.

How CondoAide frames external roles

CondoAide builds these practices into an access-management feature:

  • Six preconfigured external roles - vendor, building professional, accountant (CPA), legal counsel, insurer and privacy officer - each with a read scope limited to its mandate, adjustable by the syndicate.
  • An agreement signed before access. The practitioner creates their account and signs the syndicate's confidentiality agreement before seeing anything; every version of the agreement is kept as proof.
  • An audit journal records access and actions.
  • The accountant case: the role allows bookkeeping (transactions, reconciliation, year-end close) with read access to the budget and register. For a review or audit engagement - a CPA's reserved act that the platform does not perform - the syndicate can remove the management permission and grant read-only access.

CondoAide is a management tool: the decision to grant a mandate, the choice of practitioner and the content of the agreement remain your board's.

Frequently asked questions

Can my accountant access the syndicate's register? Yes, if the board of directors grants access within their mandate. The prudent practice: named, read-only access limited to the financial sections, preceded by a signed confidentiality agreement and recorded in an access log.

Is a syndicate of co-owners subject to Law 25? Yes. A syndicate is a legal person holding personal information about co-owners and tenants: Quebec's private-sector privacy law applies to it, including designating a person in charge (s. 3.1) and notifying confidentiality incidents.

What is the person in charge of personal information, and who should hold the role? It is the person responsible for ensuring the organization complies with the law. By default, the person with the highest authority in the syndicate, but the function can be delegated in writing - to a director or to someone external.

Do we need a written agreement before sharing documents with a third party? It is the prudent practice, and for some service providers the law requires a contractual framework covering confidentiality and use of the information. A signed agreement stating the purpose, confidentiality and end of mandate protects the syndicate and sets clear expectations.

Going further


This article provides general information and is not legal advice. For how Law 25 applies to your situation, consult your legal advisor. CondoAide is a management platform - we perform neither financial audits nor contingency fund studies. For those services, retain a member of a recognized professional order (OIQ, OAQ, OEAQ, OTPQ, CPA).