Privacy Policies – Is yours up to date?

 

What is personal information?

Under the Australian Privacy Act 1988, personal information is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information/opinion is true or not, and whether recorded in a material form or not. In general terms, it is any information that can be used to personally identify you. This may include your name, address, telephone number, email address, credit information and profession or occupation. If the information collected personally identifies you, or you are reasonably identifiable from it, the information will be considered Personal Information.

In accordance with the recent privacy reforms, agencies are required to revise their Privacy Policies on their websites as well as the copies displayed during Open for Inspections to incorporate the following updates:

• Transparency: Agents must explicitly state how personal information is collected, used, disclosed and destroyed. 
• In-person Collection: Agents must reflect in-person data collection (e.g at open for inspections) and this data must be made easily accessible should a client request it. Be careful with paper registers as they can be a breach of (Australian Privacy Principle 11 (APP11) because other people can take photographs of the register. If you do use paper registers, ensure that reasonable steps are taken so they are kept secure, and others cannot access the details. If someone does not consent to provide information you can bar access to the property that is open for inspection. If they provide information, then you have obtained their voluntary consent. 
• Minimised Data Collection: Agents must only collect necessary information, reducing the collection of excessive details such as tattoos, relationship status, full social media history, or unnecessary financial details, such as excessive request for bank statements is prohibited. 
• Secure Destruction: Personal information must be destroyed or de-identified when no longer needed. To destroy information implies rendering it irretrievable, rather than merely archiving it. To de-identify information means to make it so that the identity of that individual can no longer be ascertained from that information.  For example, the new privacy standards require the destruction of unsuccessful tenant information. This data can no longer be kept “just in case” and stricter rules also apply for third-party CRM platforms. 

The Office of the Australian Information Commissioner (OAIC) recently found that the rental application platform “2Apply”, which is operated by InspectRealEstate (IRE), was found to have over-collected renter data using unfair and coercive design practices. The regulator found that IRE was collecting unnecessary personal details from renters, including gender, student status, citizenship and visa information.

• Standardised Applications: New laws mandate a standard rental application form to clarify what information can and cannot be collected, aimed at preventing intrusive and non-essential requests. 
• AI and Automated Decision-Making Disclosure: Automated decision-making refers to when an organisation uses technology (like algorithms or AI systems) to make decisions about individuals with no human involvement or minimal human review.  For example: 

• • automatically approving or rejecting tenancy applications based on credit score checks. 
  • auto-calculating rent increases based on market data. 
  • using AI chatbots to decide maintenance request prioritisation. 

AI-generated images in rental listings must also be disclosed to prevent misleading advertisements. 

• Legal Obligations: Agents must comply with the 13 Australian Privacy Principles (APPs) if their turnover exceeds $3 million, including strict data breach notification requirements. This is irrespective of your business structure. 
• Consent & Use: Personal information must not be used or disclosed for any purpose other than what was originally authorised, including for marketing activities.  Any “direct marketing” type of communication should have an easy to use “unsubscribe” functionality to comply with APP7 and the SPAM Act. 
• Offshore support services and data storage: An agency may utilise offshore administrative or support personnel in connection with the provision of its real estate and property management services. In some circumstances, this may involve the cross-border disclosure of personal information to overseas service providers for administrative, operational, or support-related functions. Any access to personal information by offshore personnel is subject to strict confidentiality obligations, security controls, and privacy protections consistent with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth).

It should be noted that you cannot charge a person for making a request to access their personal information, but you can charge them a fee for providing them access to the information. This fee cannot be excessive, and could include staff related costs of locating, sorting through and assembling the personal information as well as reproducing and sending it, and the costs associated with any material or postage required.  

Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000. Legislative changes to the Privacy and Other Legislation Amendment Act 2024 increased the regulatory powers for the OAIC with the legislative changes expanded to protect against information sharing. This includes the failure to have a Privacy Policy containing specific information.

These changes have tightened enforcement on how agencies collect personal data, resulting in active regulatory sweeps by the regulator. Therefore, please ensure your agency’s Privacy Policy is up to date and on display, on your website, at reception, and at your open for inspections.

Should your agency require assistance with updating its Privacy Policy or should you require an overall Compliance Check, please contact the College on 1300 88 48 10 or enquiries@acop.edu.au

Complete your property training with ACOP.