Fair Trading Commissioner's Guidance

After a tenancy agreement is entered into

The following guidance is considered by the Fair Trading Commissioner to be best practice for landlords, agents and third party tenancy application platforms in dealing with tenants’ personal information.

For information about the general obligations that apply to real estate agents and the application of the Australian Privacy Principles to businesses that deal with personal information please see here.

Agents and landlords should destroy personal information when it is no longer needed

Personal information should only be kept for as long as is reasonably necessary. It is important to consider whether there is an ongoing need or legal basis for holding the information. There should be clear and justifiable reasons for continuing to store personal information – these reasons may reduce over time.

Where there is no longer a reason to hold the information, it should be destroyed.

A clear example of personal information that should be destroyed is information collected from unsuccessful applicants for a tenancy. There is no need for this information to be retained and doing so exposes the unsuccessful applicant and the agent to considerable risk in the event of a data breach.

Agents may wish to keep file notes noting why they selected the successful tenant. This is acceptable where the file notes do not contain unnecessary personal information about the unsuccessful applicants.

Information stored in hard copy should be shredded before it is disposed of. If information is stored electronically, such as in cloud-based storage servers, USBs or with a third-party provider, consideration should be given to how to ensure digital records are permanently destroyed, including records held in any back-up system or offsite storage.

Example – deletion of unsuccessful applications collected and stored through a third-party

Ten prospective tenants apply for a property through a third-party platform, and one is successful. Thirty days after the successful tenant’s lease commences, the records of all unsuccessful applications, including supporting documentation, are deleted from the third-party platform and unsuccessful applicants are notified of this deletion.

This would be considered best practice.

Example – storing and disposing of personal information held by the agent

An agent receives a large number of applications for a rental property. The agent stores the applications on a password protected, secure ICT system. Once a tenancy agreement has been entered into, the agent permanently deletes all applications other than the one for the successful tenant.

For the successful tenant, the agent only retains the information necessary for overseeing the tenancy. The agent also ensures that all personal information relating to the successful tenant is permanently deleted when it is no longer necessary to hold it.

This would be considered best practice.

Use and disclosure of information and direct marketing

The Australian Privacy Principles emphasise that an organisation should only use or disclose personal information for the reason they collected it.

This means that information collected from a person for the purpose of applying for a tenancy should not be used for direct marketing unless the person consents or would reasonably expect it to be used for direct marketing. Even if the information can be used for marketing purposes, the person concerned should be given a means to ’opt out’ from receiving any direct marketing.

Example – disclosing marketing practices and providing an option to opt-out

As part of the tenancy application process, an agent asks prospective tenants whether they own any other property. The application form makes clear that this question is for marketing purposes, and allows the applicant to choose not to answer, and ‘opt out’ of marketing communications.

This would be considered best practice.

Print this page

Request accessible format of this publication.