General obligations relating to personal information for agents and associated organisations

An agent must act honestly, fairly and professionally and exercise reasonable skill, care and diligence. An agent also must not use or disclose confidential information (including personal information) unless the client or customer authorises this use, or it is otherwise required by law. These requirements are set out in Schedule 1 of the Property and Stock Agents Regulation 2022.

Most organisations with an annual turnover of over $3 million must also comply with Federal privacy laws. These include requirements to notify certain data breaches and to comply with the 13 Australian Privacy Principles which provide the standards, rights and obligations relating to:

• the collection, use and disclosure of personal information
• an organisation's or agency’s governance arrangements
• quality and correction of personal information
• the rights of individuals to access their personal information
• security and destruction of personal information.

The principles broadly require organisations to:

• manage personal information in an open and transparent way and have a publicly available privacy policy
• only collect personal information that is reasonably necessary for an organisation’s functions and activities and usually directly from the individual concerned
• notify a person about information collected about them and how it will be used
• allow a person to access information held about them
• only use or disclose personal information for the purpose for which it was collected
• only use or disclose personal information for direct marketing in limited circumstances, and provide an easy means for individuals to request not to receive marketing communications
• take reasonable steps to ensure that information collected is accurate, up to date and complete
• take reasonable steps to protect personal information it holds from misuse, unauthorised access or disclosure or modification and destroy information that is no longer needed
• allow a person to access and correct information held about them.

For agents, property managers, landlords and organisations with an annual turnover of less than $3 million, the Australian Privacy Principles provide best practice guidance for managing personal information provided by tenants.

Property agencies should prepare and maintain written procedures for the collection, use, storage and disposal of personal information obtained during the organisation’s business.

It is best practice for agencies to publish information and explanations about the use of tenant personal information, including how long the data will be stored, what measures are in place to protect confidentiality and whether it is shared with any third parties.