Privacy Act Obligations for Queensland Real Estate Agents: Client Data, Marketing and Compliance
A buyer’s agent emails a past client’s financial details to an overseas property developer. A sales agent adds every open home attendee to the agency newsletter without asking. A property manager scans a driver’s licence, TFN and passport — and stores all of it on an unprotected server. Each of these is a potential breach of Australian privacy law, and each happens routinely across Queensland agencies that have never paused to examine their obligations under the Privacy Act 1988 (Cth).
The regulatory environment shifted decisively in 2024 and 2025. Australia’s privacy regulator began 2026 with its first-ever compliance sweep, conducting a targeted review of selected businesses’ privacy policies — specifically scrutinising businesses that collect information in person. The OAIC cited real estate agents asking for phone numbers at open houses as a prime example of the in-person collection practices under examination. Queensland real estate agents are directly in the regulator’s line of sight. Understanding what the law actually requires — not just in theory, but in daily practice — is no longer optional.
Does the Privacy Act Actually Apply to Your Agency?
This is where most principals start — and where many draw the wrong conclusion.
The Privacy Act 1988 covers organisations with an annual turnover of more than $3 million, and this may include real estate agents. An APP entity that is a small business operator with an annual turnover of less than $3,000,000 is exempt under the Privacy Act, though there are quirks in this test and you should review the OAIC’s small business checklist before relying on this exemption.
The exemption, however, is narrower than it appears. Some small businesses under $3 million are also covered if an exception applies — including businesses that trade in personal information, meaning they disclose or collect personal information for a benefit, service or payment beyond ordinary operational sharing. An agency that sells its client database, exchanges lists with a third-party marketing company, or monetises tenant data in any form crosses into coverage regardless of turnover. Agents should take particular care with that aspect of the small business checklist, noting that the OAIC specifically flags scenarios where “a small business sells their customer list to a marketing company or gives their own list in return for another list.”
Even agencies that fall outside the Act’s formal reach face practical obligations. If a real estate agent is not expressly caught by the Privacy Act but has made privacy commitments in their retainer or in their privacy policy, they will still be obliged to comply with those privacy obligations. And reputationally, buyers, sellers, tenants and landlords are more privacy-aware than ever — a clear policy and robust processes reduce complaints and set professional agencies apart.
The practical advice: assume the Act applies, build your systems accordingly, and the only risk you run is over-compliance.
The Australian Privacy Principles: What They Mean in a Real Estate Context
Within the Privacy Act, there are 13 Australian Privacy Principles (APPs) that set out how your business may handle personal information. For Queensland agents, the most operationally relevant ones govern collection, use, disclosure, direct marketing, cross-border data flows, data security, and an individual’s right to access and correct their information.
Collection: What You Can Gather and How
If the Act applies, a real estate agent can only collect personal information that is reasonably necessary for one of their functions or activities. An agent is not allowed to collect more information than is necessary because it is convenient or they think it may be useful in the future.
In practice, this means your rental application forms, open home sign-in sheets, and buyer registration processes need to be audited against a simple test: is each piece of information actually required for the transaction at hand? In real estate, personal information may be collected directly from the person — through an application form, for instance — or indirectly, from referees, tenancy databases, or credit reporting processes. Both routes carry the same obligations.
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable — whether the information or opinion is true or not, and whether or not it is recorded in material form. Names, phone numbers, email addresses, employment history, bank account details, rental history and identity documents all qualify. Sensitive personal information is a subset that includes information or an opinion about an individual’s racial or ethnic origin, political opinions or associations, criminal record, health or genetic information, sexual orientation, and religious beliefs. You generally cannot collect sensitive information without express consent, and collecting it “just in case” creates significant exposure.
Government-related identifiers deserve specific attention. A real estate agent may collect a government-related identifier — such as a Medicare number, Centrelink customer reference number, driver licence number, or birth certificate number — only if reasonably necessary, but generally must not adopt, use, or disclose these numbers. If an agent needs a copy of such a document, they should blank out personal information they do not need, and if they need to use or disclose a document with a government-related identifier, they must generally blank the identifier out.
Use and Disclosure: The Primary Purpose Rule
Once collected, personal information can only be used or disclosed for the purpose it was collected for, unless the individual has given their consent for other uses. This is the principle that catches agents most frequently. You collected a prospective buyer’s contact details at an open home to facilitate a sale. Using that information to add them to a third-party investment seminar mailing list, or sharing it with a mortgage broker who is a business partner of yours, is a use beyond the primary purpose — and requires consent.
Sharing a tenant applicant’s information with a landlord, a previous agent listed as a reference, a residential tenancy database operator, and any directly relevant party is legitimate, because it falls within the primary purpose of evaluating the application. The test is whether a reasonable person in the individual’s position would expect that secondary disclosure.
Open Home Sign-In Sheets: A Specific and Common Exposure Point
The humble sign-in sheet at an open home is one of the most consistent compliance failures in the industry — and precisely what the OAIC’s 2026 sweep targeted.
Open home attendee lists generally contain an individual’s name, phone number, and email address — all types of personal information within the meaning of section 6 of the Privacy Act. If the Act applies, prior to collecting information for open home attendee lists, real estate agents must ensure they have obtained the individual’s voluntary consent to collect the personal information.
This consent obligation has a practical implication: the sign-in process must include a clear collection notice. Before or at the time of collection, you are required to notify individuals of the agency’s identity, the purpose of collection, any third parties to whom the information may be disclosed, and the existence of your privacy policy. A bare “Name / Phone / Email” sheet with no explanatory text does not meet this standard.
Privacy Commissioner Carly Kind stated that when consumers are confronted with in-person requests for personal information from real estate agents, they often don’t have access to all the information they need to make an informed decision, making them “vulnerable to overcollection of personal information.” The OAIC’s sweep aimed to ensure that entities are meeting their obligations to be transparent about how they’re using the personal information they collect in person.
The fix is straightforward: add a brief collection notice to your sign-in sheets — physical and digital — that tells attendees what you’re collecting, why, and who may receive it.
Privacy Act Obligations for Queensland Real Estate Agents: Marketing Use of Client Data
This is where agents most frequently step across the line. Queensland agencies run email campaigns, SMS property alerts, social media retargeting, and market update newsletters — all legitimate tools, all carrying compliance obligations under both the Privacy Act and the Spam Act 2003 (Cth).
APP 7: Direct Marketing
APP 7 specifically addresses direct marketing. If an organisation holds personal information about an individual, it may use or disclose that information for direct marketing only where the individual has consented, would reasonably expect it, or the organisation is using information it collected directly from the individual and the individual has been given a simple means to opt out. Every direct marketing communication must include a clear, functional opt-out mechanism.
Enhanced regulations on how personal information will be used for direct marketing form one of the core practical obligations real estate agencies face under the APPs. The important distinction is between using information for a purpose the person would reasonably expect — such as sending listed property alerts to a buyer who registered interest — versus harvesting attendee data to build a general marketing database. The latter requires explicit consent.
The Spam Act 2003: Email and SMS Marketing
In Australia, the sending of SMS and email marketing messages is regulated by the Spam Act 2003 (Cth) and the Spam Regulations 2021. The Spam Act was designed to protect people from receiving spam — unsolicited commercial electronic messages — and governs who you can send to and what your messages need to include.
Under the Spam Act 2003 (Cth), businesses must obtain consent from customers — including business customers — before sending any direct marketing communications via email, SMS, or other electronic means. There are two types of consent: express and inferred.
Consent can be express or inferred, but should only be inferred where there is an existing commercial relationship between the sender and the customer which relates to the subject matter of the marketing communication. The ACMA recommends using express consent as it represents a clear and unambiguous decision by a customer to receive direct marketing.
For Queensland agents, the inferred consent question frequently arises with open home contacts and past buyers. When seeking to rely on inferred consent, carefully evaluate whether there is a clear, current or ongoing relationship with the customer and that the goods or services being marketed are directly related to that relationship. Consent should not be inferred from a one-off purchase by a customer, even where they have provided a phone number or email to receive a receipt.
Every commercial electronic message must comply with three mandatory requirements. Recipients must consent to receiving commercial emails; all emails must clearly identify the sender; and every email needs a functional unsubscribe option. Agents must keep a record when a person gives express consent, including who gave the consent, when, and how — because under the Spam Act, it is up to you to prove that you have a person’s consent.
Unsubscribe requests must be actioned as quickly as possible and within five business days. You must not continue sending marketing messages after an unsubscribe request has been received, or re-contact consumers encouraging them to resubscribe. Violations of the Spam Act are enforced by the Australian Communications and Media Authority (ACMA) and can result in fines of up to $220,000 for a single breach, and as much as $2.1 million for subsequent breaches.
Note that the Spam Act and the Privacy Act are complementary but distinct. The Spam Act 2003 operates alongside the Privacy Act 1988, which regulates the use and disclosure of personal data. The Privacy Act includes APPs that apply to certain organisations, and APP entities must comply with several obligations, including obtaining consent before collecting sensitive personal information and providing a simple means for individuals to opt out of direct marketing communications. An agency must satisfy both regimes simultaneously.
Notifiable Data Breaches: Your Obligations When Things Go Wrong
In 2024, a total of 1,113 data breaches were notified to the OAIC — representing a 25% increase in notifications from the 893 notified in 2023. Real estate agencies hold exactly the kind of data that malicious actors and ransomware operators target: identity documents, bank account details, signed contracts, and tenancy histories.
Under the Notifiable Data Breaches (NDB) scheme, any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure.
An eligible data breach is one that is likely to cause serious harm to any person whose personal information is involved, and where the entity is unable to prevent the likely risk of serious harm with remedial action. If an entity promptly takes steps to remediate the data breach and, as a result, the breach is unlikely to cause serious harm, there is no obligation to notify affected individuals or the Commissioner.
Generally, an organisation or agency has 30 days to assess whether a data breach is likely to result in serious harm. Those 30 days start from the point the entity becomes aware. Acting quickly on containment is therefore both ethically correct and legally strategic — if you can prevent the harm, the notification obligation may not arise.
When notification is required, it must go to both the OAIC and affected individuals. The notification to individuals must include recommendations about the steps they should take in response to the data breach. The OAIC publishes an online Notifiable Data Breach form for this purpose.
The penalties for failing to maintain compliant practices are no longer theoretical. The Privacy Commissioner can now issue infringement notices of up to $66,000 per contravention, bypassing the slower civil penalty process. The maximum civil penalty for serious or repeated interference with privacy sits at $3.3 million for a body corporate.
Handling Foreign Buyer Data: APP 8 and Cross-Border Disclosure
Queensland attracts significant offshore capital — particularly from Southeast Asian buyers purchasing residential and commercial property. Australian Privacy Principle 8 sets the rules for cross-border disclosure of personal information, and if you miss a step, your business can be on the hook for privacy breaches that happen overseas.
APP 8 and section 16C create a framework for the cross-border disclosure of personal information. The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.
This becomes directly relevant when a Queensland agent shares a local buyer’s information with an overseas property developer, a foreign-based referral agent, or a migration agent operating offshore. When such a disclosure occurs, the organisation must take reasonable steps to ensure the overseas recipient complies with the APPs, and will remain accountable if the overseas recipient breaches the APPs, subject to exceptions.
The most workable exception for most agencies is informed consent: the individual consents after being expressly informed that APP 8 protections may not apply and the overseas recipient may not be subject to the APPs. This must be real, informed consent — clear, specific, and documented.
Compliance also requires taking reasonable steps — typically through enforceable contracts — to ensure overseas recipients follow APP-equivalent privacy standards. If you regularly refer Queensland buyers to an overseas-based agency network or vice versa, your referral agreement should contain explicit privacy protection clauses.
The OAIC does not maintain a list of countries with substantially similar laws or binding schemes, so agents cannot simply assume that a jurisdiction is compliant. If you are uncertain, the safest path is express informed consent from the client before any disclosure.
Building a Compliant Privacy Framework in Your Agency
Compliance is not a document you draft once and file. An organisation should implement practices, procedures, and systems that enable compliance with the APPs (APP 1.2) and have a clearly expressed and up-to-date Privacy Policy (APP 1.3) that contains specific information about the organisation’s information handling practices (APP 1.4).
In January 2026, the OAIC began its first-ever privacy compliance sweep, targeting approximately 60 organisations across six sectors — including real estate agencies. The sweep assesses each organisation’s privacy policy for compliance with APPs 1.3 and 1.4, which require organisations to have a clearly expressed and up-to-date privacy policy.
Privacy policies must now clearly outline what information is collected, how it is used, where it is stored, and how long it is retained, along with instructions for individuals to access or correct their data. A policy that has not been updated since the agency was founded, or that is a generic template unrelated to your actual data flows, does not meet this standard. A published Privacy Policy that reflects the actual personal information handling practices of the organisation — rather than being a purely aspirational document — helps individuals make informed decisions about their dealings with the organisation.
Quality control over the data you hold is also a distinct obligation. Reasonable steps should be taken to ensure that personal information contained on lists is accurate, complete, up to date, and relevant before the lists are used or disclosed (APP 10.2). Organisations that purchase lead lists from vendors should beware: vendors often disclaim responsibility for the accuracy and completeness of their lists through their own Terms and Conditions, which places the compliance burden squarely on the purchasing agency.
Finally, a clear Data Breach Response Plan sets out how your agency will assess, contain, and notify a breach if you are an APP entity covered by the Notifiable Data Breaches scheme. Given the 30-day assessment window, agencies that have no documented response procedure will invariably be scrambling when a breach actually occurs.
What This Means for Queensland Agents
The privacy obligations facing Queensland real estate agents span collection, use, marketing, storage, breach notification, and cross-border disclosure. The regulatory environment is now one of active enforcement — not just published guidance.
Priority actions for every Queensland agency:
- Audit your open home sign-in process and ensure a collection notice is presented before information is gathered.
- Review your privacy policy against APP 1.4 requirements. If it has not been updated since 2023, treat it as non-compliant until reviewed.
- Audit your email and SMS marketing lists. Confirm you have valid consent — express or properly inferred — for every recipient. Ensure your unsubscribe process acts within five business days.
- Train every agent and property manager on what constitutes a data breach and who in the agency is responsible for assessment and escalation.
- If you work with foreign buyers or offshore referral networks, introduce APP 8-compliant informed consent language into your engagement documentation.
- Write and test a Data Breach Response Plan before you need one.
The Property Lovers Commissioner-initiated investigation (Commissioner Initiated Investigation into Property Lovers Pty Ltd (Privacy) [2024] AICmr 249) is a useful reminder of how the OAIC approaches sector-specific privacy failures in property-related businesses. In that case, the Privacy Commissioner highlighted how the APPs work — in a practical sense — to preserve the privacy rights of individuals and inform good decision making by organisations in the sector.
The OAIC’s 2026 sweep signals its shift from guidance to active enforcement, with greater use of compliance and infringement notices and escalation to civil penalties for serious or persistent non-compliance. Queensland agents who treat privacy obligations as a compliance checkbox rather than an operational discipline are carrying risk they may not have priced.
The information in this article is factual and informational in nature. For advice specific to your agency’s circumstances, consult a qualified privacy lawyer or seek guidance from the OAIC at oaic.gov.au or the REIQ at reiq.com.