Practical privacy for the real estate sector

The collection and management of personal information is becoming more important in all areas of real estate, including buying and selling, funds management, finance and construction. 

The Privacy Act 1988 (‘Privacy Act’), which is currently under review and may introduce stricter rules in 2025,  presently applies to organisations with over $3 million in annual turnover, as well as some other organisations. If this applies, real estate agencies, commercial and residential property platforms, developers and building contractors are required to comply with the Privacy Act and the Australian Privacy Principles (‘APPs’).

Lead lists and privacy

Commissioner Initiated Investigation into Property Lovers Pty Ltd (Privacy) [2024] AICmr 249 (22 November 2024) considers matters that are relevant to real estate lead generation, property related transactions, property development and other verticals in the sector. In this specific case, the Privacy Commissioner highlighted how the APPs work – in a practical sense – to preserve the privacy rights of individuals and inform good decision making by organisations in the sector. Some key considerations include:

1. Good privacy governance is good for business: An organisation should implement practices, procedures and systems that enable compliance with the APPs (APP 1.2) and have a clearly expressed and up-to-date Privacy Policy (APP 1.3) that contains specific information about the organisation’s information practices (APP 1.4). Internal privacy accountability structures, policies, procedures and privacy training all speak to good governance. Likewise, a published Privacy Policy that reflects the actual personal information handling practices of the organisation – rather than being a purely ‘aspirational’ document or, worse, being subsumed by commercial Terms and Conditions that demand a person’s consent to all information handling – helps individuals to make informed decisions about their dealings with the organisation going forward.
2. If it’s not fair, forget it: When collecting personal information from third-party websites, databases or other sources for the purpose of creating a lead list, ensure the collection is made using both lawful and fair means (APP 3.5). A lead list is generally understood to be a collation of potential customers (or ‘leads’) that may be interested in an organisation’s product or service – or otherwise fit an ‘ideal customer profile’ – and may be created in-house, purchased from a vendor or compiled and managed within organisation’s CRM. Key factors in determining whether a collection for a lead list is made fairly include whether the organisation has engaged in intimidation, coercion or deception to obtain the information, and whether the individual would consider the means of collection to be unreasonably intrusive (or, conversely, whether the individual would reasonably expect such a collection to occur in the circumstance).
3. Notify: When collecting personal information, steps should be taken – at the time of collection, or as soon as reasonably practicable – to notify a person of the collection (APP 5) including what personal information is being collected, why, what will be done with it and other prescribed matters (APP 5.2). This is a critical step in organisational transparency and helps to establish a reasonable expectation of the individual about what will happen to their personal information. Good notification practices also help organisations to demonstrate – in the event of a complaint or regulatory scrutiny – that their collections of personal information have been made fairly. Notification is often made using a written ‘collection notice’ contained on a hard copy or electronic form; however, organisations are not limited in the manner of notification. An icon or graphic, QR code, pop-up box, banner or short video could also be used to provide notification, as long as the specific matters set out in APP 5.2 are addressed.
4. Quality control is key: In the context of lead lists, and considering the purposes for which these may be used or disclosed by an organisation, reasonable steps should be taken to ensure that personal information contained on the lists is accurate, complete, up to date and relevant before the lists are used or disclosed (APP 10.2). Factors that heighten the importance of quality control include whether individuals are likely to be contacted or targeted directly, whether the personal information at hand includes sensitive information (as defined in the Privacy Act) or would likely be viewed by the individual as sensitive in the context, and the extent to which there may be adverse consequences for the individual if an organisation relies on inaccurate or out of date information. Organisations that purchase lead lists from vendors should beware: through their own Terms and Conditions, vendors often disclaim responsibility for the accuracy and completeness of their lists, which places the organisation at risk of being unable to assert or verify data quality.

Tenancy and privacy

The Office of the Australian Information Commissioner provides resources on key privacy concepts and application of the APPs, which are generally sector agnostic.

It also offers more specific guidance associated with the privacy rights of tenants and commensurate obligations of real estate agents, which highlights practical challenges such as the potential for over-collection of personal information, unauthorised uses and disclosures of personal information and managing such information in accordance with the Privacy Act throughout its lifecycle. The guidance notes, for example, that organisations must capture, use and disclose government issued identifiers such as tax file, Medicare or driver’s license numbers only for authorised purposes.

Appropriately managing such identifiers can be a pitfall for many organisations, noting that strict rules (collectively, the ’TFN Rule’) govern the collection, handling, security and destruction of tax file numbers of individuals, and real estate agents (even those not otherwise covered by the Privacy Act) must comply with these.

Questions?

Helios Salinger works together with Hamilton Locke to bring timely and practical legal and operational advice to our real estate sector clients. For more information, please visit the Helios Salinger website or reach out to Nicole Stephensen, Partner – Privacy.