Privacy Act 1988 Compliance For Australian Real Estate Businesses

If you run a real estate agency, property management business, buyer’s advocacy service, or proptech platform, you probably handle personal information every day. Think rental applications, copies of IDs, employment details, bank statements, inspection photos, CCTV footage, and sometimes even sensitive information about tenants’ health or family situations.

That’s why the Privacy Act 1988 is relevant to property businesses. While privacy compliance can sound like something only big tech companies need to worry about, privacy act 1988 real estate compliance issues can come up in very ordinary day-to-day workflows.

The good news is you don’t need to turn your business upside down to comply. With the right systems, clear documents, and a few good habits, you can reduce risk and build trust with landlords, tenants, and buyers.

Below is a practical, small-business focused guide to what the Privacy Act means for real estate, what to put in place, and how to avoid the most common pitfalls.

Why The Privacy Act 1988 Matters In Real Estate

Real estate businesses often collect information that is both:

• high-volume (multiple applicants, ongoing tenant records, routine inspections), and
• high-risk (identity documents, finances, family details, and sometimes sensitive information).

Even if you don’t think of yourself as a “data business”, you likely hold enough information to cause serious harm if it’s mishandled (for example, identity theft, stalking risks, discrimination allegations, or financial loss).

Privacy compliance also intersects with everyday operations, such as:

• how you advertise properties and publish photos
• how you screen tenants
• how you communicate with strata managers, landlords, and trades
• how you store application documents and condition reports
• how you run surveillance like CCTV or call recordings

In other words, privacy act 1988 real estate obligations aren’t theoretical. They show up in your leasing workflow, property management systems, marketing, and dispute handling.

Do All Property Businesses Have To Comply?

Not every small business is automatically covered by the Privacy Act. Many “small businesses” are exempt if their annual turnover is $3 million or less, but there are important exceptions that can bring a property business within the Act (for example, if you operate as a related body corporate of a larger group, or if you handle certain types of higher-risk information or activities).

Real estate and property businesses still need to take privacy seriously because:

• you might be covered due to your size or structure,
• your business activities might trigger specific privacy obligations (for example, tenant screening and credit reporting-related processes), and
• even where the Privacy Act doesn’t technically apply, customers and counterparties often expect privacy-safe practices (and it can still reduce operational and reputational risk).

If you’re unsure where you sit, it’s worth getting advice early so your processes scale properly as your rent roll and transaction volume grows.

What Counts As “Personal Information” In Real Estate?

Under the Privacy Act, personal information is information or an opinion about an identified individual (or someone who is reasonably identifiable). In property, this often includes more than people realise.

Common Examples In Property And Leasing

• rental applications (names, DOB, addresses, employment, income)
• copies of driver licences, passports, Medicare cards
• bank statements, pay slips, Centrelink details
• tenant ledgers, arrears notes, breach notices
• inspection reports (including photos that show people’s belongings)
• complaints about neighbours (especially where identifiable)
• email and SMS communications about tenancy issues

Sensitive Information: Where Real Estate Businesses Can Accidentally Collect Too Much

Sensitive information is a special category that generally needs higher care. In a property context, you might come across it when applicants include supporting documents relating to:

• medical conditions (for example, requests for accessibility modifications)
• family violence situations (for example, urgent relocation requests)
• racial or ethnic background (sometimes inferred from documents)
• union membership (less common, but can appear in employment documents)

A practical compliance tip: ask yourself whether you truly need a particular document. Many privacy issues start with over-collection (“we asked for everything, just in case”). If you don’t need it, don’t collect it.

What About Photos, Video, And Audio?

Media can be personal information if it identifies someone (or makes them reasonably identifiable). In real estate, this can include:

• inspection photos showing family photos, mail, or identifying items
• CCTV footage in common areas
• recorded phone calls with tenants and owners

If your business uses surveillance or recordings, you should also check the state-based rules. For example, if you operate in Victoria, you’ll want to align with recording laws and your internal policies.

When Does The Privacy Act Apply, And What Are The Core Duties?

At a practical level, privacy act 1988 real estate compliance usually comes down to a few repeat questions:

• What are you collecting?
• Why are you collecting it?
• How are you telling people about it?
• Who are you sharing it with?
• How are you storing it and keeping it secure?
• When (and how) do you delete it?

The Privacy Act includes a set of principles that guide these obligations (often referred to as the Australian Privacy Principles). Instead of memorising each principle, it’s usually more useful to translate them into operational rules your team can follow.

Collection: Only Collect What You Need (And Be Clear About Why)

In real estate, you may collect personal information directly from the person (for example, through an application form) or indirectly (for example, from referees, tenancy databases, or credit reporting processes). A compliance-minded approach is to:

• limit your forms to what is reasonably needed for the decision
• avoid “nice to have” information that increases risk
• make it clear what information is required vs optional

Notification: Tell People What You’re Doing With Their Data

Whenever you collect personal information, you should think about whether you need a clear collection notice and a Privacy Policy that explains (in plain English) what you collect, how you use it, and who you disclose it to.

This is particularly important where you’re collecting via:

• online rental application portals
• your agency website enquiry forms
• email signups for property alerts

Use And Disclosure: Sharing Needs A Legitimate Reason

Property businesses routinely share information with:

• landlords and investors
• strata managers
• maintenance providers and trades
• insurers
• legal representatives and tribunals

The key is to share only what’s necessary for the purpose, and to be cautious about casual disclosures (for example, forwarding full application packs to multiple owners when a shortlist would do).

It’s also worth flagging that tenant screening can overlap with specific rules around tenancy databases and credit reporting. If you use these tools, you should ensure your notices, consents (where required), and internal processes match the relevant requirements.

Security: Protect The Info You Hold

Security is where many small businesses feel overwhelmed. The aim is not perfection. The aim is reasonable protection for the sensitivity of what you hold.

For a property business, “reasonable steps” often include:

• unique logins for staff (not shared passwords)
• multi-factor authentication where available
• access levels (property managers don’t need access to everything)
• secure storage of ID documents
• staff training and clear internal processes
• safe email practices (double-check recipients, avoid “reply all” leaks)

Real Estate Privacy Risks (And How To Handle Them In Practice)

Let’s get practical. Here are some common scenarios where privacy act 1988 real estate compliance issues can arise, plus what to do instead.

Rental Applications And ID Documents

Rental applications often include highly sensitive documentation. Risks can include:

• collecting excessive documents (increasing breach impact)
• storing documents longer than needed
• emailing applications without secure sharing methods

Practical steps:

• minimise what you request upfront (stage requests where possible)
• set retention periods (for unsuccessful applicants, consider how long you genuinely need to keep the file)
• use secure systems rather than forwarding attachments repeatedly

Inspection Reports And Photos

Inspection photos can inadvertently capture private details, including children’s items, medication, religious items, or personal mail. While condition reporting is legitimate, you should still aim to minimise collateral collection.

Practical steps:

• train staff on photographing the property condition, not personal items
• avoid photographing identifying documents or family photos where possible
• be careful when sharing reports externally (for example, with owners)

Marketing Properties (And Avoiding Accidental Privacy Breaches)

Marketing can create privacy risks when you post photos or videos that reveal personal information. This can happen with:

• tenanted properties where personal belongings are visible
• floor plans and photos revealing security features
• testimonials that identify clients without clear consent

Practical steps:

• check marketing collateral before publishing
• build consent into your onboarding process for owners and tenants where relevant
• have a clear “take-down” process if someone raises a privacy concern

CCTV And Surveillance In Property Businesses

If you operate CCTV (for example, in your office, or you manage buildings that use CCTV), privacy and surveillance laws can overlap. You may need signage, clear purposes, restricted access, and a plan for retention.

It’s also worth aligning this with general workplace expectations if you have staff and cameras in the workplace. Issues often arise when cameras are introduced without a clear policy or where employees are not properly notified.

If cameras are part of your operations, it can help to understand broader CCTV laws in Australia and document your approach.

Recording Calls With Tenants, Landlords, Or Prospective Buyers

Many real estate businesses record calls for training, dispute management, or “he said / she said” protection. However, call recording is regulated and the rules vary across Australia.

If your business records calls, you should review your compliance settings, scripts, and staff training. A practical starting point is understanding business call recording laws and ensuring your privacy documentation matches what you actually do.

What Documents And Policies Should Real Estate Businesses Have?

Good privacy compliance isn’t just about avoiding mistakes. It’s about building repeatable systems so your team can confidently do the right thing, even on busy days.

For most property businesses, the following legal documents and policies are worth considering.

• Privacy Policy: Sets out what personal information you collect, how you use it, who you share it with, and how people can access or correct their information. This is especially important if you collect information via your website or online forms. A tailored Privacy Policy is a strong baseline.
• Privacy Collection Notice: A short, practical notice used at the point of collection (for example, within a rental application form). It helps ensure people understand what’s happening when they hand over personal information. In many cases, a privacy collection notice can be the difference between a smooth process and a complaint.
• Website Terms: If you run an agency website with enquiry forms, property alert subscriptions, or online applications, clear Website Terms and Conditions can support your operational rules (including acceptable use and content ownership).
• Internal Policies And Staff Training Materials: Privacy compliance often breaks down due to human error. A practical internal policy should cover access, storage, deletion, scams/phishing, and disclosure rules.
• Data Breach Response Plan: If something goes wrong (for example, an email sent to the wrong person, or an account compromised), speed matters. A data breach response plan helps your team respond consistently, document decisions, and reduce impact.

Not every business needs every document, and your setup should match how you operate (for example, whether you use third-party application platforms, whether you run CCTV, and how you store ID documents). The main goal is to make sure your paperwork reflects reality.

Step-By-Step: A Practical Privacy Compliance Checklist For Property Businesses

If you’re not sure where to begin, this checklist can help you roll out privacy act 1988 real estate compliance in manageable steps.

1. Map What You Collect (And Where It Lives)

Write down:

• what personal information you collect (applications, inspections, marketing lists)
• where you collect it (website, email, paper forms, third-party portals)
• where it’s stored (property management software, cloud storage, inboxes)
• who has access (property managers, admin staff, contractors)

This “data map” is often the quickest way to identify risk hotspots, like old shared inboxes or staff downloading application packs to personal devices.

2. Reduce Over-Collection

Ask: what do we actually need to make a leasing decision or manage a tenancy?

Where possible:

• remove unnecessary fields from forms
• avoid collecting sensitive documents unless genuinely required
• set expectations with applicants about what you do and don’t need

3. Put Clear Notices In The Right Places

Make sure your Privacy Policy is easy to find on your website and that your forms or portals include a clear collection statement. If you use QR codes at opens or run competitions for lead generation, make sure the collection message still reaches people at the point they submit data.

4. Tighten Security And Access Controls

Simple improvements can make a big difference, like:

• turning on multi-factor authentication
• removing former staff access quickly
• setting role-based access inside your systems
• locking down shared drives and folders

5. Set Retention And Deletion Rules

One of the most common real estate privacy mistakes is holding onto everything indefinitely “just in case”. If you keep information longer than necessary, you increase the harm and clean-up burden if a breach occurs.

Start with practical categories, such as:

• unsuccessful rental applications
• old inspection photos
• outdated owner and tenant ID documents

Then create a process for secure deletion and periodic review.

6. Train Your Team (And Keep It Simple)

Most privacy incidents are not malicious. They’re human error.

Consider training staff on:

• how to verify identity before disclosing information
• how to send emails safely (and when to use BCC)
• what to do if they accidentally send something to the wrong person
• how to handle requests for access or correction

7. Plan For Breaches Before They Happen

A breach response plan should answer:

• who is notified internally
• how you contain the issue
• how you assess risk
• how you communicate with affected people
• how you prevent repeat incidents

Also keep in mind the Notifiable Data Breaches (NDB) scheme, which can require you to notify affected individuals and the OAIC if an “eligible data breach” occurs (generally, a breach likely to result in serious harm). Having your response plan ready helps you assess and act quickly.

This is one of those “you’ll be glad you have it” documents.

Key Takeaways

• Privacy act 1988 real estate compliance matters because property businesses handle large volumes of high-risk personal information, especially in rentals and property management.
• Personal information in real estate includes obvious items like IDs and bank details, but also inspection photos, complaint records, and communications.
• Common risk areas include rental applications, marketing tenanted properties, inspections, CCTV, tenant screening processes, and call recording.
• Practical compliance starts with minimising what you collect, giving clear notices, restricting access, improving security, and setting deletion rules.
• A Privacy Policy, privacy collection notice, and breach response plan can help make privacy compliance repeatable and easier for your team to follow.

Disclaimer: This article is general information only and does not constitute legal advice. For advice about your specific situation, speak to a lawyer.

If you’d like help getting your real estate business set up for Privacy Act compliance, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.