Personal information and tenancy applications: Fair Trading Commissioner's guidance

The following guidance is considered by the Fair Trading Commissioner to be best practice for agents and industry in dealing with personal information from tenants.

On this page

• General obligations for agents and associated organisations
• Different information required at different points in a tenancy relationship
  • When the property is advertised
  • When a prospective tenant puts in an appplication
  • When an agent or landlord assesses an application
  • After a tenancy agreement is entered into

Personal information includes a broad range of information about a person. It can include their name, address, phone number, bank details, where they work, their employee records, credit information or whether they have a loan. It also includes formal identification documents, such as a driver’s licence, Medicare card or passport or the details from those documents. It may also include another person’s opinion about them (such as a character reference).

Personal information can also include inferences that may be drawn about someone from their activities, such as where they use their credit card or their web browsing history.

Personal information is collected from prospective tenants for the purposes of verifying identity, establishing ability to pay rent and demonstrating that the person is likely to look after the property.

General obligations relating to personal information for agents and associated organisations

An agent must act honestly, fairly and professionally and exercise reasonable skill, care and diligence. An agent also must not use or disclose confidential information (including personal information) unless the client or customer authorises this use, or it is otherwise required by law. These requirements are set out in Schedule 1 of the Property and Stock Agents Regulation 2022.

Most organisations with an annual turnover of over $3 million must also comply with Federal privacy laws. These include:

• requirements to notify certain data breaches
• 13 Australian Privacy Principles which provide the standards, rights and obligations relating to:
  • the collection, use and disclosure of personal information
  • an organisation’s or agency’s governance arrangements
  • quality and correction of personal information
  • the rights of individuals to access their personal information
  • security and destruction of personal information.

The principles broadly require organisations to:

• manage personal information in an open and transparent way and have a publicly available privacy policy
• only collect personal information that is reasonably necessary for an organisation’s functions and activities and usually directly from the individual concerned
• notify a person about information collected about them and how it will be used
• allow a person to access information held about them
• only use or disclose personal information for the purpose for which it was collected
• only use or disclose personal information for direct marketing in limited circumstances, and provide an easy means for individuals to request not to receive marketing communications
• take reasonable steps to ensure that information collected is accurate, up to date and complete
• take reasonable steps to protect personal information it holds from misuse, unauthorised access or disclosure or modification and destroy information that is no longer needed
• allow a person to access and correct information held about them.

For agents, property managers, landlords and organisations with an annual turnover of less than $3 million, the Australian Privacy Principles provide best practice guidance for managing personal information provided by tenants.

Property agencies should prepare and maintain written procedures for the collection, use, storage and disposal of personal information obtained in the course of the organisation’s business.

It is best practice for agencies to publish information and explanations about the use of tenant personal information, including how long the data will be stored, what measures are in place to protect confidentiality and whether it is shared with any third parties.

Different information requirements apply at different points in a tenancy relationship

There are multiple points in time when an agent or landlord may collect, use or manage personal information from a tenant:

• when the property is advertised for rent e.g. interactions occur at the open home inspection or via phone and email enquiries
• when a prospective tenant puts in an application for a property
• when an agent or landlord assesses the application and makes a decision about the successful applicant
• after a tenancy agreement is entered into.

The information below is intended to guide agents, landlords and third party tenancy application platforms to decide what information may be reasonably necessary to collect and use, and how to manage that information at these different points in time.

When the property is advertised

During this period prospective tenants generally attend open inspections and communicate with the landlord or agent via email and phone to find out more about the property and conditions of the tenancy.

At this time, only minimal information should be collected and the consent of the prospective tenant should be obtained. For example, collection of a phone number or email address at an open inspection so that the agent can contact the prospective tenant to gauge their interest in the property would be considered reasonably necessary collection.

When a prospective tenant puts in an application

Collect information only where reasonably necessary

The Australian Privacy Principles – and privacy laws and guidance globally – emphasise the importance of not collecting more data than reasonably necessary for the purpose it is collected for.

This is known as ‘data minimisation’, which is an important concept that can help reduce privacy and security risks and impacts. For example, collecting more personal information than is necessary may increase the risk of harm to an individual in the event of a data breach. Holding large amounts of personal information may also increase the risk of unauthorised access by internal or external sources. Organisations should only collect the minimum amount of information that is reasonably necessary in the circumstances.’

In the context of collecting information from a tenancy applicant, some personal information may be reasonably necessary to collect because it is needed to:

• confirm the tenant’s identity
• establish that prospective tenant/s who are listed on the lease would be able to pay the rent for the property when it falls due
• demonstrate that the tenant is likely to look after the property.

Guiding questions

• am I asking the prospective tenant for information that is beyond what is necessary for the above purposes?
• am I asking for information only from the relevant people, who are the prospective tenants who would be listed on the rental agreement?
• am I requesting multiple forms of evidence when I only need one?
• am I collecting information only from sources that the tenant is aware of and has given informed and voluntary consent to?
• if using a third party platform, am I confident that the platform is only collecting information on my behalf that is reasonably necessary?
• am I balancing my obligation to act in the landlord’s best interest with tenants’ rights to privacy, freedom from discrimination and protection of their personal information?

Collection of information to verify the tenant’s identity

Best practice would be to only request information that is reasonably necessary to verify a tenant’s ID, and to simply sight the ID documents and note any details that may be necessary to keep (for example, if it is necessary in future to confirm the identity of the tenant for providing a reference or providing access if they are locked out of a property), without storing the documents. This will reduce the amount of ID information that will be disclosed if an agency is subject to a data breach.

Guiding questions

• how much information do I need to verify the successful applicant’s identity for this purpose?
• am I requesting / collecting more information than necessary as part of these checks – e.g. multiple types of evidence when only one or two types are necessary?

Establish that prospective tenant/s who are listed on the lease would be able to pay the rent for the property when it falls due

Consider what information is reasonably necessary to show that the tenant can pay the rent under the agreement: e.g. current rental ledger or information from their employer (such as a payslip) to confirm their income.

If the prospective tenant does not receive income through employment, an alternative source of information about capacity to pay may need to be considered.  However, it is still best practice to only require a tenant to provide the minimum level of information necessary to assess capacity to pay. For example, in situations where a prospective tenant does not have payslips and instead provides bank statements, they should be encouraged to redact the daily transaction history and only provide evidence of savings.

Information on capacity to pay should be limited to those tenants who will be listed on the lease and will have a legal obligation to pay the rent.

Information to demonstrate that the tenant is likely to look after the property

Information collected for this purpose might include a reference from a previous landlord or agent or confirmation that the tenant has read and understood the Tenant Information Statement.

An agent may also conduct a residential tenancy database search (more on these below). Where an agent uses a tenancy database, it is best practice for agents to disclose to prospective tenants that their information will be used for this purpose.

Bond claims made against the tenant or involvement in a previous tenancy dispute are not necessarily a good indicator of a tenant’s likely conduct as there may have been other reasons for these, including an unreasonable landlord/agent.

Unlawful discrimination

It is unlawful in New South Wales to discriminate in the provision of accommodation on the grounds of race, sex, marital or partner status, age, disability, sexual orientation, or gender identity.

The guidance set out here may help agents and third parties reduce the risk that they discriminate, or are perceived to have discriminated, in the assessment of a rental application. In particular, by ensuring that prospective tenants only provide as much information as the agent and landlord reasonably needs to assess an application, agents will make it easier to ensure that they are assessing that application fairly and on non-discriminatory grounds.

Consideration should also be given to whether any program or algorithms used by third party platforms to assess an application could be assessing information in a discriminatory way.

Visit the Anti-Discrimination New South Wales website for more information about types of discrimination.

Inform applicants why specific information is collected and how it will be assessed

Agents and third party platforms should explain at the tenancy application stage why specific forms of information are required for assessing a person’s suitability as a tenant, how it will be collected, and how their application will be assessed.

This is considered best practice. It is also a requirement of the Australian Privacy Principles. The APP Guidelines set out the matters that must be included in a collection notice: Chapter 5: APP 5 — Notification of the collection of personal information - Home (oaic.gov.au)

Dealing with unsolicited personal information

Unsolicited information is information received where no active steps were taken by the receiver to collect it. Where unsolicited information is provided, the receiver should decide whether it would have been reasonably necessary to collect that information.

The Australian Privacy Principles emphasise that the unsolicited personal information should be destroyed as soon as possible if it would not have been reasonably necessary to collect it.

Individual’s right to access information held about them

The Australian Privacy Principles emphasise that if an individual requests information that is held about them, that information should be provided to them as soon as reasonably practicable. If information is stored via a third party, the individual should not be simply referred on to that third party.

It is important to verify that a request for personal information is made by the individual concerned, or by someone authorised to make the request, such as a legal guardian.

This principle is particularly important if an unsuccessful tenant wishes to access information held about them to better understand why they were not successful in securing the property.

Individuals also should be given an opportunity to correct personal information held about them. This may be particularly important where a prospective/current tenant becomes aware that information held by an agent/landlord or third party is inaccurate in the course of an application or tenancy, and wants that information to be amended.

When an agent or landlord assesses an application

Agents/landlords should only use information that is reasonably necessary to assess a tenant’s suitability.

Agents/landlords should only use information that is relevant to whether the tenant will be able to pay the rent and is likely to look after the property.

Further, agents, landlords and third party tenancy application platforms should explain why certain information is being collected and how it will be used to assess the person’s suitability for the tenancy.

Personal information and tenancy databases

Tenancy databases store specific information about tenants and their rental history. The Residential Tenancies Act 2010 provides strict rules for listing and accessing information contained on databases.

Where an agent uses a tenancy database, is best practice for agents to disclose to prospective tenants that their information will be used for this purpose.

More information on tenancy databases is available on our starting a residential tenancy page.

After a tenancy agreement is entered into

Agents/landlords should destroy personal information when it is no longer needed

Personal information should only be kept for as long as it is reasonably necessary. It is important to consider whether there is an ongoing need or legal basis for holding the information. There should be clear and justifiable reasons for continuing to store personal information – these reasons may reduce over time.

Where there is no longer a reason to hold the information, it should be destroyed.

A clear example of personal information that should be destroyed is information collected from unsuccessful applicants for a tenancy. There is no need for this information to be retained and doing so exposes the unsuccessful applicant and the agent to considerable risk in the event of a data breach.

Agents may wish to keep file notes noting why they selected the successful tenant. This is acceptable where the file notes do not contain unnecessary personal information about the unsuccessful applicants.

Information stored in hard copy should be shredded before it is disposed of. If information is stored electronically, such as in cloud-based storage servers, USBs or with a third-party provider, consideration should be given to how to ensure digital records are permanently destroyed, including records held in any back-up system or offsite storage.

Use and disclosure of information and direct marketing

The Australian Privacy Principles emphasise that an organisation should only use or disclose personal information for the reason they collected it.

This means that information collected from a person for the purpose of applying for a tenancy should not be used for direct marketing, unless the person consents or would reasonably expect it to be used for direct marketing. Even if the information can be used for marketing purposes, the person concerned should be given a means to ’opt out’ from receiving any direct marketing.

Back to the top