By Toby Blyth & Jessica Yazbeck
Overview of the Privacy Act
The Privacy Act 1988 (Cth) promotes and protects the privacy of individuals and regulates how Australian Government agencies and organisations handle personal information, principally via the APPs (Australian Privacy Principles) and the notification of eligible data breaches (NDB) scheme.
To the extent that the Act applies to a real estate agent, its obligations are additional to the PSA regulations.
What is personal information?
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
Sensitive personal information is a subset of personal information that includes information or an opinion about an individual's racial or ethnic origin (which can be embodied in photographs), political opinions or associations, criminal record, health or genetic information, sexual orientation, religious beliefs, trade union membership, and some aspects of biometric information.
All information about personal vendors and purchasers, and information about tenants, is personal information. Information about non-personal entities, such as the names of individuals within a client and their contact details can also be personal information (e.g./ [email protected] is personal information, but [email protected] is not).
There is no test of confidentiality - if you hold personal information it is covered regardless of whether it is confidential.
Information you hold about one of your employees (but not contractors or visitors) is exempt.
Who does it apply to?
The Privacy Act and the APPs apply to APP entities.
An APP entity is an organisation and includes individuals, body corporates, partnerships, trusts or any other unincorporated association. This includes business incorporated in Australia or an organisation that operates or carries on business in Australia and collects or holds personal information in Australia.
However, an APP entity that is a small business operator (ie with an annual turnover of less than $3,000,000) is exempt under the Privacy Act. There are some quirks in this test and you should review the OAIC's small business checklist before you rely on this exemption.
This is referred to as the 'small business exemption'. Other exemptions include employee records, political parties, and journalism.
Agents should take care with Question 3 on the checklist, and note the OAIC says "For example, where a small business sells their customer list to a marketing company or gives their own list in return for another list".
Keeping a residential tenancy database is likely to be the type of conduct that means the exemption will NOT apply (likewise if you provide property management services). We cannot provide advice here but you should carefully consider the exemptions and seek professional counsel or speak to REINSW.
Top Tip:
Real estate agents should also be mindful of any contractual privacy related promises that may be included in various retainers and their privacy policies.
For example, if a real estate agent is not expressly caught by the Privacy Act, but has made privacy commitments in their retainer, or in their privacy policy, they will be obliged to comply with those privacy obligations.
Australian Privacy Principles
The APPs outline the mandatory requirements for the handling of personal information, including the consideration of personal information privacy, collection, dealing, integrity, access to, and correction of, personal information see the OAIC guide to the APPs here: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference
Top Tip: Handling open home attendee lists
Open home attendee lists will generally contain an individual's name, phone number and email address. These are all types of personal information within the meaning of s 6 of the Privacy Act.
If the Act applies, prior to collecting information for open home attendee lists, real estate agents must ensure that they have obtained the individual's voluntary consent to collect the personal information and identify the relevant purposes for collection. The privacy policy can be on your website - you can simply refer to it on the registration form.
Be careful with paper registers as they can be a breach of APP11 because other people can take photographs of the register and then use them to stalk visitors. If you do use a paper register keep it secure so that others may not take the details.
If someone does not consent to provide information you can bar access to the home open. If they provide information then you have obtained their voluntary consent.
With respect to the use and disclosure of open home attendee lists following voluntary and lawful consent and collection, real estate agents may use such information for marketing other properties where this has been identified as a collection purpose (or without express identification as a collection purpose because we consider it falls within the "reasonably expected" secondary use under APP6).
However, providing the personal information recorded in an open home attendee list to other businesses would not be a reasonably expected secondary purpose unless the specific recipients are specified in the privacy policy.
Any "direct marketing" type communication should have an easy to use "unsubscribe" functionality to comply with APP 7 and the SPAM Act.
A breach of an APP is an interference with the privacy of the individual under the Privacy Act. The Information Commissioner has powers to investigate possible and actual interferences with privacy, either following a complaint by the individual or on the Commissioner's own initiative, and award compensation for breaches.
Notifiable data breaches
Under the NDB Scheme introduced in 2017, an APP entity that discovers a data breach where it is reasonable to believe that the breach has caused serious harm to the affected individual(s), or it is likely to do so, must notify the OAIC and affected people as soon as practicable.
To determine whether an NDB is likely to cause serious harm, APP entities must consider the non-exhaustive list of relevant matters set out in s 26WG:
- the kind or kinds of information
- the sensitivity of the information
- whether the information is protected by one or more security measures
- if the information is protected by one or more security measures – the likelihood that any of those security measures could be overcome
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information
- if a security technology or methodology:
- was used in relation to the information, and
- was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information
- the likelihood that the persons, or the kinds of persons, who:
- have obtained, or who could obtain, the information, and
- have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates
- have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology
- the nature of the harms
- any other relevant matters
APP entities may not need to notify if they take positive steps to address a data breach in a timely manner. To avoid the need to notify, the remedial actions need to be effective enough so that the organisation believes that the data breach will no longer likely result in serious harm.
If an APP entity determines that the data breach is an eligible data breach following an assessment, the APP entity will need to prepare a notification statement that contains the identity and contact details of the organisation, a description of the data breach, the kinds of information affected, and recommendations for affected people.
We would like to thank Toby Blyth & Jessica Yazbeck at Colin Biggers & Paisley Lawyers for providing this article.
Toby Blyth
Jessica Yazbeck