The Claim That Changed the Question
A resident in a Mississauga condominium was assaulted in the building's underground parking garage in late 2023. The incident occurred at 11:40pm on a Tuesday — a quiet night, by all accounts. The security company's overnight log for that shift read: "P1 patrol completed, 11:35pm. Quiet night."
Five words. No route. No timestamps on area-by-area coverage. No record of what the officer observed on P1. No notation of when the officer returned to the front desk. The patrol record existed. It was just useless.
When the insurance claim went to litigation, the security vendor could not produce evidence that the patrol had actually covered the level where the incident occurred. The board learned this at the hearing — from the plaintiff's counsel, who asked one precise question: "Can you show me, in the log, that your officer was on P1 between 11:30 and 11:45 that evening?" The board's own legal representative could not answer it. There was nothing to point to.
The condo corporation was exposed in a way that no amount of after-the-fact explanation could repair. The question the board had been asking — is our security vendor licensed and insured? — was the wrong question. The right question was: if something goes wrong, does our documentation protect us?
This post is about that question. It is also about what we have found, working across residential security services in Toronto, Mississauga, and the broader GTA, to be the most consistent gaps in how buildings handle security incident documentation.
The Legal Framework: What You Are Actually Obligated To
PSISA — The Baseline for Any PSISA Security Company in Ontario
The Private Security and Investigative Services Act (Ontario) governs every security guard and security company operating in the province. Its requirements are the floor, not the standard. Every PSISA-licensed security guard in Toronto and across Ontario must hold a valid licence issued by the Registrar of the Ministry of the Solicitor General. Every security agency must hold a valid agency licence. Officers must carry their licence at all times while on duty, and companies are prohibited from placing unlicensed individuals in licensed positions.
Before you sign any security contract, ask for the agency licence number and request current officer licences for the individuals assigned to your property. This is not a hostile request. A reputable PSISA security company produces these at the proposal stage, without being asked. We provide licensing documentation before any contract is signed — not because clients ask, but because a vendor who gets defensive when you ask about their licence is telling you something important.
You can verify any PSISA licensed security guard or agency directly through the Ontario government's online licence verification portal. It takes two minutes. If your current vendor has never offered to walk you through this, ask yourself why. More on our compliance and documentation approach is available on the Chromium Standard page.
What PSISA does not cover: the quality of incident reporting, the format of documentation, retention schedules, or data privacy practices for visitor logs. Those obligations come from elsewhere — and that is where most boards are exposed.
The Ontario Condominium Act — Governance Records and Your Board's Obligations
Under the Ontario Condominium Act (1998) and its regulations, condo corporations are required to maintain records related to the operation and management of the property. Security incident reports are operational records. The Condominium Act is explicit that these records must be available to unit owners upon request, subject to certain privacy carve-outs — which means they must exist, in a usable form, when requested.
When a board needs to produce records in response to a unit owner request, a legal review, or an insurance audit, the quality and completeness of what is in the file becomes the corporation's liability, not the security vendor's. The vendor filed the report. The corporation owns the record. Vague incident logs, missing dates, unattributed entries, and absent follow-up documentation all create gaps that plaintiff's counsel will find — and that an insurer will price into the next renewal.
Condo board security legal obligations under the Condominium Act are more substantive than most boards realise. The Act does not specify what security records must contain — but courts and arbitrators have been willing to draw adverse inferences from records that are obviously inadequate. Gaps in your documentation are not neutral. They are a problem that has not yet been noticed.
PIPEDA — The Data Privacy Layer Your Vendor Is Handling on Your Behalf
The Personal Information Protection and Electronic Documents Act governs how personal information is collected, used, stored, and retained. In the context of a residential building, this applies directly to visitor logs, contractor access records, and CCTV footage. A visitor log that captures names, unit numbers, entry times, and vehicle information is a PIPEDA-covered dataset. The building — not the security company — is typically considered the data controller.
What this means practically for a condo corporation:
- Visitor logs should not be accessible to all building staff without authorisation. Access to PIPEDA-covered datasets should be role-based and logged.
- Digital records must be stored securely, not in an open spreadsheet on a shared drive or a paper logbook with no access control.
- CCTV footage has a defined retention window — typically 30 to 90 days for a residential building, though incident type and legal hold requirements can extend this significantly. Footage deleted on a standard retention cycle before it is flagged as relevant to a legal claim creates a serious problem for the corporation.
- Residents and visitors have the right to request information about what personal data the building holds about them — a subject access request under PIPEDA. Your building must be able to respond.
Here is a scenario that brings this out of the abstract. A resident in one of the buildings we serve was involved in a billing dispute with a contractor who had accessed the property multiple times over a three-week period. The resident filed a formal complaint with the contractor's firm, and the contractor's lawyer subsequently submitted a PIPEDA subject access request to the building — asking for all records that referenced the contractor's visits, including dates, times, access logs, and any notes made by security staff. The building was required to produce them within 30 days. Buildings whose visitor data lives in a paper binder have no consistent way to answer that request. Buildings whose security vendor maintains PIPEDA-compliant digital records can respond within hours.
Your security vendor's documentation practices are, in effect, your building's PIPEDA practices. If you do not know how your vendor stores visitor data — who has access to it, how long it is retained, and how it would be produced in response to a formal request — you should find out before you need to.
The Four Documentation Gaps That Create Liability
1. The Incomplete Patrol Record
A patrol log that says "P1 completed, 02:15" is not a patrol record. A patrol record identifies the specific route covered, the areas observed in sequence, any anomalies noted, and the return time to the front desk. Without that specificity, the log cannot be used to establish that any particular area was covered at any particular time — which is exactly what a court, an insurer, or a unit owner's counsel will want to establish. The Mississauga incident at the start of this piece is not unusual. It is the predictable outcome of an industry norm that tolerates summary logs.
2. The "Resolved" Entry with No Resolution Detail
"Noise complaint, unit 1104, resolved" tells you nothing about what actually happened. Resolved how? By whom? Was the unit occupant contacted directly? Was a formal warning issued under the building's rules? Was the property manager notified? Did the officer enter a common area or address the situation through the intercom? When that complaint returns to the board three months later as part of an escalated formal dispute between neighbours, the board needs to know what the response was the first time — and a one-word resolution status is not an answer.
3. The Missing Incident Chain
When a security incident involves multiple parties — a visitor, a resident, a contractor, and a responding officer — the documentation should name each party and their role in the sequence of events. Security incident documentation in Ontario that refers to "a male subject" without further description, or "the resident" without a unit number, creates evidentiary problems that surface months or years later. A complete incident chain is not just good practice. For a condo corporation navigating an insurance claim or a tribunal proceeding, it is the difference between having a record and having a defence.
4. The Absent Data-Retention Policy
How long does your vendor keep incident reports? How long does your building retain them? If the answer is "I'm not sure," that is a gap worth closing before the next renewal. Under most property insurance policies, incident documentation should be retained for a minimum of 24 months. Legal actions arising from incidents — personal injury, property damage, human rights complaints — can surface well beyond that window, particularly if the limitation period is paused by a legal process. A thoughtful Condominium Act security records retention policy, and a vendor who preserves records beyond the minimum, is straightforward protection. It is not administrative overhead.
The Question Your Insurer Will Ask
Property insurers, when a claim arises involving a security-related incident, are not asking whether your building has a security company. They are asking what the building can prove about what was done, when, and by whom. Claims adjusters and coverage counsel routinely request patrol logs, incident reports, and visitor records as part of the claims assessment process. When those records cannot answer specific questions — which areas were patrolled, at what times, with what findings — insurers have grounds to contest coverage or price future renewals based on the documentation gap rather than the incident itself.
We have seen boards discover this at the worst possible moment: during an active claim, when a coverage dispute is already open. The insurer's question is not rhetorical. "Can you show me documentation that your officer was in the parking garage between 11:30 and 11:45 on the night of the incident?" requires a yes or a no. A log entry that says "P1 patrol completed" is a no. A timestamped digital log with specific area checkpoints and notations is a yes.
Buildings whose security documentation cannot answer those specific questions will face higher premiums, contested claims, or both. This is not hypothetical. It is a factor that underwriters in the Ontario commercial property and liability market account for when pricing multi-residential risks. Your security vendor's record-keeping practices are, effectively, an actuarial variable in your insurance program.
What "Board-Ready" Legal Documentation Actually Looks Like
A security report that genuinely serves the board's governance and legal obligations has six properties. We outline what a board-ready security report looks like in detail in a separate piece — but the core framework is this:
Complete. Every incident entry names the date, time, specific location, parties involved (with unit numbers or identifying details), the officer who responded, the actions taken in sequence, any escalations made, and the resolution status with detail.
Timestamped. Not just the incident — the report entry itself. A record written three days after the fact is worth significantly less than a contemporaneous one in a legal proceeding. Digital logging systems that timestamp entries at creation remove the question entirely.
Consistent. A security report that uses different terminology from month to month, or that records similar incidents differently depending on who was on shift, cannot be used for comparative analysis or legal review. Consistency is a documentation standard, not just a style preference.
Retained. Records should be stored for a minimum of 24 months, with a legal hold applied automatically to any record related to an incident that enters a formal complaint, insurance claim, or legal process. The hold should prevent deletion until the matter is resolved.
Accessible. When the board needs a record at short notice — for an insurance audit, a unit owner request under the Condominium Act, or a legal review — the vendor must be able to produce it quickly, in a format the board can use. "We'll have to dig through the archives" is not an answer.
PIPEDA-compliant. Visitor and contractor data must be managed with defined access controls, a stated retention policy, and a documented process for responding to subject access requests.
The Conversation to Have With Your Vendor Before the Next Renewal
Four questions that reveal the documentation quality of any security vendor quickly:
- Can I see a sample of a real monthly report from an active site, with identifying information redacted? You are looking for narrative, severity weighting, and forward indicators — not just a table of incident counts. If the vendor cannot or will not produce a sample, that tells you something about the quality of what exists.
- How are your patrol logs structured? You are looking for area-by-area specificity, timestamped entries at each checkpoint, and anomaly notation. If the patrol log is a single line per shift, the building cannot defend its patrol coverage.
- What is your data-retention schedule for incident records and visitor logs? The answer should be specific — a number of months, with a defined escalation-hold process for records related to formal complaints or claims. "We keep everything" is not a retention policy.
- How do you handle CCTV footage in the event of an incident that may lead to a legal claim? The answer should include a footage preservation protocol — a process for flagging footage for retention beyond the standard cycle when it is potentially relevant. If the vendor says "we don't manage the CCTV system," the board should understand that the footage preservation obligation then falls entirely on building management.
If the answers are vague, or if the vendor is visibly uncomfortable with the questions, that is your answer. These are not adversarial questions. They are the baseline a security company for property managers in the GTA should be able to answer without hesitation. If you have noticed other signs your security vendor isn't performing, documentation gaps rarely travel alone.
Our Approach
Chromium Guard's documentation practices are built around the assumption that any record we create may one day be reviewed by a lawyer, an insurer, or a court. That is not pessimism — it is the standard required to operate responsibly as a PSISA licensed security company serving condo corporations in a governance environment where boards are accountable for what they knew, when they knew it, and what they did about it.
Every incident entry in our system is timestamped at the moment of creation — not filed at the end of a shift. Patrol routes are logged with specific area checkpoints, so each patrol produces a verifiable record of what was covered and when. Visitor data is stored in a PIPEDA-compliant system with role-based access controls and a defined retention schedule. Incident records are retained for a minimum of 24 months, with legal holds applied automatically when a formal complaint or insurance claim is opened.
We produce board-ready reporting on a monthly cadence, structured to answer the questions a board, an insurer, or a unit owner's representative might ask. If there are incidents worth discussing, they are discussed — with context, severity assessment, and recommended follow-up. If you want to understand our documentation practices in full before a renewal decision, we are glad to walk through our standard and provide a redacted sample report.
We also note, for boards considering a property assessment: we do not ask for commitments before providing substantive information about how we work. Understanding our approach and asking hard questions about your current vendor is the right way to make a renewal decision, and we support that process whether or not it leads to a contract.
Further reading from The Chromium Journal:
Chromium Guard is a boutique firm providing PSISA-licensed concierge security for luxury condominiums and commercial buildings across the Greater Toronto Area. To discuss your building's documentation standard, request a confidential property assessment or contact us directly.