The biggest mistake your boutique Real Estate Agency has made in relation to privacy

Privacy and Security
Written By Noni McDonald

O*NO! You don’t comply with the Privacy Act as you have been told you don’t need to, but you have fallen into the biggest privacy trap out there.
You signed up, without knowing it, and have promised to comply. Not convinced? Read on.

We know the Privacy Act applies to all businesses with a yearly turnover greater than $3m who handle personal information in Australia. These businesses must comply with the Australian Privacy Principles (APPs) found in the Act.

Did you know that some small businesses (those with under $3m turnover) can come under the Privacy Act in other ways.  The Privacy Act applies to all businesses operating residential tenancy databases (RTDs), regardless of their revenue.  RTD operators are therefore subject to all of the provisions of the APPs.

As a real estate agent, you may be under the impression that unless your agency turns over $3m you don’t need to comply with the APPs. Unfortunately a lot of agencies make this mistake and don’t realise they have agreed to comply with the APPs through an RTD contract.

What do residential tenancy databases have to do with my agency’s privacy compliance?

We know that RTDs are privately operated electronic databases such as TICA, the National Tenancy Database, and Trading Reference Australia. The databases store information about residential tenants’ rental history including defaults or alleged defaults on tenancy agreements, damage to property, and rental arrears. This includes personal information about individual tenants.

If you have a Property Management businesses you will be using TICA or an equivalent RTD. If not, you are being negligent and not taking the responsibility of leasing seriously. When your agency signed up to use an RTD, you agreed to comply with the APPs. It is likely that you may have missed one of the most important points in that agreement.

Here is an excerpt of TICA’s membership T&C’S:

The member agrees:

1.      That they are able to substantiate the information recorded about an individual on the databases.

2.    That they will abide by the Australian Privacy Principles.

3.      That the information recorded on the database is accurate complete and up to date.

Check it out for yourself - https://www.tica.com.au/policies.php

Why do RTD’s make you agree to this? In short, TICA and other data bases got in trouble by the Privacy Commissioner for how they dealt with personal information. They make your agency to agree to comply with the APPs to shift the risk from them to you. If they get complaints or claims against them in relation to personal information that you provided to them (or received from them) and you haven’t complied with the APPs, they can point to you and you become liable to any fines, claims or compensation.

What does this mean for your agency?

  • It means you have likely made a contractual promise to a database operator that you will treat personal information as if you were subject to the Privacy Act.

  • It means the database operator is indemnified if you don’t comply with the APPs. Your agency could be liable for any penalties and to cover legal costs of the database operator if a complaint is made about them due to your breach.

  • It means you need to be Privacy Prepared! If you thought the APPs didn’t apply to your agency you should review your practices now. You may need to update or rewrite procedure manuals and policies to meet APP requirements.

Nailing Your Privacy Must Haves is your first step in being Privacy Prepared

  • Your agency must be open and transparent about how you manage personal information and how you will handle inquiries and complaints.

  • Your Privacy Policy and Collection Notices must be clearly expressed and accessible.

  • You must adhere to your policies in order to protect personal information in line with the APPs.

  • Once you have collected personal information, you need to know your data - where it is, how it is stored, who can access it and what you will do if there is Data Breach.

  • You need a data breach response plan which clearly states how you will deal with any data breach.

  • Don’t let your brand suffer! Send a clear message on Privacy by keeping your policies up to date.

Boring legal stuff: This article is general information only as cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us.

Noni McDonald
Previous

4 Critical factors when buying a rent roll
Next

5 Privacy Tips