Privacy Breaches, Complaints and Regulator Contact: What Real Estate Agencies Need to Know in 2026
Most real estate agencies assume privacy problems only matter if there has been a major data breach.
That assumption is wrong.
In 2026, many privacy issues start with something much smaller. A tenant asking for a copy of their file. A buyer questioning why they are still receiving marketing emails. A former applicant wanting to know why their documents are still being held.
These are not dramatic events, but they are often the first step toward complaints, investigations, and regulatory attention.
As privacy audits continue into February 2026, agencies are discovering that how they respond to everyday privacy issues matters just as much as whether a breach has occurred. This second blog in our Privacy Super Guide series explains what counts as a privacy breach, how complaints and access requests should be handled, and what to expect if the regulator contacts your agency.
What Counts as a Privacy Breach in Real Estate
When people hear the words privacy breach, they often think of hacking or ransomware attacks. While those events do occur, many breaches in real estate are far more ordinary.
A privacy breach occurs whenever personal information is accessed, disclosed, lost, or used in a way that is not authorised. This can include emailing personal information to the wrong person, leaving application forms unsecured, losing a USB drive, or allowing staff access to files they should not see.
Even small incidents can qualify. For example, sending a rental application to the wrong landlord, or forwarding an email chain that contains personal details without checking who is copied in.
We regularly see agencies dismiss these incidents as mistakes rather than breaches. The law does not make that distinction. What matters is whether personal information was mishandled. Not every breach must be reported to the regulator, but every breach must be assessed. Agencies are expected to have a process for identifying, recording, and responding to privacy incidents.
Complaints and Access Requests Are Often the Real Trigger
In practice, many privacy investigations begin with a complaint rather than a breach report.
Individuals have the right to request access to their personal information and to ask for corrections if it is inaccurate. Agencies must respond within a reasonable time and cannot simply ignore or delay these requests.
Common mistakes include not recognising an access request when it arrives, asking unnecessary questions before responding, or failing to provide information in a usable format.
We assisted an agency that received an email from a former tenant asking for a copy of their application file. The request sat unanswered for weeks because no one recognised it as a formal privacy request. The tenant then escalated the matter to the regulator.
What could have been resolved with a simple response turned into a formal enquiry. The issue was not the data itself, but the lack of a clear process.
Complaints can also arise from marketing practices. Individuals often complain that they did not consent to receive communications or that opting out was difficult. If your privacy policy does not clearly explain marketing use, or your systems do not honour opt out requests, this becomes a problem.
What Happens When the Regulator Contacts Your Agency
One of the most common questions we hear is what actually happens when the regulator gets involved.
In many cases, the initial contact is a request for information rather than an accusation. The regulator may ask for a copy of your privacy policy, details of your data handling practices, or an explanation of how a specific incident was managed.
How you respond matters. Providing clear, accurate information promptly can significantly influence the outcome. Delays, incomplete responses, or inconsistent explanations raise red flags. We worked with an agency that received a regulator enquiry following a tenant complaint. The agency had reasonable practices but poorly documented processes. We helped them prepare a clear response, update their privacy documentation, and implement missing procedures.
The regulator did not take enforcement action. The matter was resolved with guidance rather than penalties.
By contrast, we have seen agencies worsen their position by responding defensively or providing information that did not match their actual practices.
Regulators are not expecting perfection. They are expecting honesty, transparency, and evidence that agencies take privacy obligations seriously.
Data Breach Response Plans Are No Longer Optional
One of the biggest gaps we see is the absence of a clear breach response plan.
Agencies often assume they will work it out if something goes wrong. That approach rarely works under pressure.
A data breach response plan does not need to be complex. It should identify who is responsible, how incidents are assessed, when legal advice is sought, and whether notification obligations apply.
We assisted a mid sized agency after a staff member accidentally emailed sensitive tenant information to the wrong recipient. Because there was no plan, staff panicked and delayed action. By the time advice was sought, valuable time had been lost. We helped the agency assess the incident, notify affected individuals appropriately, and update internal procedures. A simple plan now exists so staff know exactly what to do if something similar happens again.
Preparation reduces both risk and stress.
The Data Breach Rules Real Estate Agencies Must Follow
Not every privacy issue is a reportable data breach, but every suspected breach must be assessed.
If your agency is covered by the Privacy Act, including where Anti Money Laundering obligations apply, you must follow the Notifiable Data Breaches rules.
In simple terms, a data breach occurs when personal information is accessed, disclosed, lost, or used without authorisation. This can include accidental emails, hacked email accounts, lost devices, unauthorised staff access, or documents being sent to the wrong person.
Once a breach is suspected, your agency has up to 30 days to assess whether it is likely to cause serious harm to an individual. Serious harm can be financial, reputational, emotional, or psychological.
During this period, you must take reasonable steps to contain the breach and reduce the risk of harm. This might include securing systems, resetting passwords, disabling access, or recovering information.
If a reasonable person would conclude the breach is likely to cause serious harm, it becomes a notifiable data breach. This means you must notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable, but no later than 30 days after discovering the breach has occured.
Importantly, how you respond matters. From recent legislative changes, agencies can face penalties not just for the breach itself, but for failing to assess, delaying notification, or providing incomplete or misleading information.
Where AML obligations apply, breaches involving identity documents and verification data are treated as higher risk, and regulators expect agencies to have stronger controls and clearer response processes in place.
This is why having a simple, documented data breach response plan is no longer optional.
Case Studies From Agencies Navigating Complaints and Breaches
Case Study 1: The ignored access request
A former tenant emailed an agency requesting a copy of their personal information. The email was treated as a general enquiry and never answered. The tenant complained to the regulator. We helped the agency respond, provide the requested information, and implement a simple access request process. The regulator closed the matter without penalty.
Case Study 2: Email sent to the wrong landlord
An agent mistakenly sent a rental application containing personal details to the wrong landlord. The incident was initially dismissed as minor.
We assisted the agency to assess the breach, notify affected parties, and document the response. This prevented further escalation and improved internal awareness.
Case Study 3: Marketing complaint exposes policy gap
A buyer complained they were still receiving emails after opting out. Investigation revealed the privacy policy did not clearly explain marketing practices.
We updated the policy, aligned systems, and trained staff. Complaints stopped and compliance improved.
Key Takeaways
Privacy breaches are often small, everyday mistakes
Complaints and access requests commonly trigger regulatory attention
Agencies must respond promptly and clearly to privacy requests
Regulator contact is often information gathering, not punishment
A compliant data breach response plan significantly reduces risk
Next Steps
If your agency does not have clear processes for handling privacy complaints, access requests, and incidents, now is the time to fix that. These issues are far easier to manage before something goes wrong.
Book your free 10-minute call today. We can help you assess your current position, close gaps, and put simple systems in place that protect your agency.
Frequently Asked Questions (FAQ)
-
Assess the incident promptly, contain it, document what happened, and seek advice if unsure whether notification is required.
-
No. Only eligible data breaches must be reported, but all breaches should be assessed and recorded.
-
Agencies must respond within a reasonable time and cannot unreasonably delay or refuse access.
-
Ignoring complaints often escalates matters and increases regulatory risk.
-
Yes. Regulators consider how an agency prepares for and responds to privacy issues.
The O*NO Legal Team
O*NO Legal is a team of commercially-minded lawyers who specialise in helping business owners—particularly in real estate and service-based industries—stay compliant, protect their assets, and grow with confidence. Led by Founder Kristen Porter, our team combines deep legal expertise with firsthand business experience. We don’t just interpret the law—we translate it into strategic advice you can actually use. From contracts and employment to privacy, compliance, and M&A, we’re here to simplify the complex and make the law work for you. At O*NO Legal, we’re changing the way business owners experience legal services.
Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.