Privacy Diagnostic — Standard Privacy Solutions

Section 1 — Foundations

Privacy Act Applicability

Establishing which Privacy Act obligations apply. Most real estate agencies are APP entities regardless of turnover — these questions confirm the applicable triggers.

⚠️ From 1 July 2026, AML/CTF Tranche 2 means most real estate agencies are APP entities regardless of annual turnover. The small business exemption is not a safe planning assumption.

1 What is the agency's approximate annual turnover?

Under $3 million $3 million or more Varies year to year

2 Is the agency enrolled or required to enrol with AUSTRAC as a reporting entity under the AML/CTF Act?

Tranche 2 commenced 1 July 2026. Enrolment deadline is 29 July 2026 for new reporting entities.

Yes — enrolled Yes — in progress No Unsure

3 Does the agency contribute listings to a residential tenancy database (e.g. TICA, NTD, Equifax TRN)?

RTD operators and contributors are APP entities under Regulation 3AA regardless of turnover.

Yes No Unsure

4 Does the agency share personal information with third parties (e.g. mortgage brokers, utilities, referral partners) in exchange for fees, commissions, or other benefits?

This triggers s 6D(4)(c) of the Privacy Act — the small business exemption is lost.

Yes No Unsure

5 What services does the agency provide?

Residential sales Property management Commercial sales/leasing Strata management Buyers agency Project/off-the-plan sales Trust accounting

6 Is the agency part of a franchise group?

Yes No

7 States/territories of operation

NSW VIC QLD WA SA TAS ACT NT

Section 2 — APP 1

Governance & Privacy Policy

APP 1 requires open and transparent management of personal information, a current Privacy Policy, and from 10 December 2026, automated decision-making disclosures.

8 Has the agency appointed a named Privacy Officer or designated a person responsible for privacy compliance?

Yes — named person Principal — informal No

9 Does the agency have a Privacy Policy?

Yes — on website, current Yes — not public Franchise policy — unreviewed No

10 When was the Privacy Policy last reviewed and updated?

Within 6 months 6–12 months ago 1–3 years ago 3+ years / never No policy

11 Does the Privacy Policy address overseas disclosure and name the countries where personal information is sent?

Yes — countries named Mentioned — no countries Not addressed

12 Does the agency use any AI or algorithmic tools that make or substantially assist decisions affecting individuals (e.g. tenant scoring, lead ranking, automated appraisals)?

APP 1.7–1.9 ADM transparency obligations commence 10 December 2026. Privacy policy must disclose by that date.

Yes — disclosed in policy Yes — not yet disclosed No Unsure

13 Has the agency conducted a Privacy Impact Assessment (PIA) for any new CRM, PropTech platform, or AI tool adopted in the last 12 months?

Yes No new systems New systems — no PIA

Section 3 — APPs 3–5

Collection of Personal Information

What the agency collects, from whom, whether it is necessary, and whether individuals are notified. Tenancy applications are the highest-risk collection point.

⚠️ Top risk: Over-collection on tenancy applications. Review every field — collect only what is genuinely necessary. Sensitive information requires consent AND necessity.

14 Which types of personal information does the agency collect? (Select all that apply)

Name & contact details Date of birth Govt photo ID Medicare/health card Financial information Rental history/RTD Employment/references Health/disability info Criminal history Social media profiles Vehicle registration Applicant photographs

15 Has the agency audited its tenancy application form in the last 12 months for data minimisation — removing fields that cannot be justified as necessary?

Yes — audited No Third-party — can't customise

16 Where does the agency collect personal information from individuals? (Select all that apply)

Open homes Tenancy applications Vendor authority forms Buyer registration Auction registration Website forms AML/CTF CDD Staff applications Third-party databases

17 Open home sign-in sheets — how are they managed?

Playbook Risk #3: sign-in sheets left visible to subsequent visitors are an APP 11 breach.

18 Does the agency have Collection Notices in use at all collection points?

Yes — all points Some points only No

19 Does the agency have a process for dealing with unsolicited personal information (information received that was not requested)?

e.g. oversharing in tenancy applications, misdirected emails, unsolicited referee comments about sensitive matters.

Yes — documented Ad hoc No process

Section 4 — APPs 6 & 7

Use, Disclosure & Marketing

Personal information may only be used or disclosed for the purpose for which it was collected, unless an exception applies. Marketing requires consent and must include opt-out mechanisms.

20 Who does the agency typically disclose personal information to? (Select all that apply)

Landlords Property portals Conveyancers Mortgage brokers Utilities services Tradespersons Tenancy databases Body corporate/strata Related entities Government agencies

21 Does the agency use tenant or client data for marketing purposes beyond the original purpose of collection?

e.g. using rental application data to market sales services, using buyer details to market home loans.

No — primary purpose only Yes — consent obtained Yes — no specific consent Unsure

22 What types of marketing does the agency send? (Select all that apply)

Email newsletters SMS marketing Appraisal/prospecting Social media retargeting No marketing

23 Do all marketing communications include a functional opt-out/unsubscribe mechanism?

Yes — all Some only No N/A

24 Does the agency maintain an agency-wide suppression/opt-out list that all agents honour?

Yes — agency-wide Per-agent only No

25 Has any staff member posted personal information about a tenant, vendor, or client on social media or public platforms (including in the context of a dispute)?

Since 10 June 2025 this can constitute a serious invasion of privacy (statutory tort) and/or criminal doxxing.

No — not to our knowledge Yes — incident occurred Unsure

Section 5 — APP 8

Cross-Border Disclosure & PropTech

APP 8 requires reasonable steps to ensure overseas recipients do not breach the APPs. This section covers software platforms, offshore staff, and PropTech due diligence.

⚠️ Playbook Risk #4: PropTech platforms with offshore data storage are one of the top 10 real estate privacy risks. Most agencies use multiple platforms with overseas servers.

26 Does the agency use software or cloud platforms where client data is stored or processed overseas?

e.g. PropertyMe, Rex, Console Cloud, Campaign Monitor, Inspect Real Estate, Mailchimp, Google Workspace, Microsoft 365.

Yes — countries known Yes — countries unknown No — Australia only Unsure

27 Does the agency use virtual assistants, outsourced staff, or contractors located outside Australia who have access to client data?

Yes — contracts in place Yes — no privacy terms No

28 Before adopting new PropTech, CRM, or cloud platforms, does the agency conduct due diligence on data storage location, security certifications, and privacy commitments?

Yes — formal checklist Informal only No

29 Do contracts with overseas software providers or offshore contractors include APP-equivalent privacy obligations, breach notification requirements, and data deletion on termination?

Yes — all key providers Some only No Unsure

30 Does the agency have a current data flow map identifying all systems, data types, storage locations, and sub-processors?

Yes — current Outdated No

Section 6 — APPs 10 & 11

Data Security & Retention

APP 11 requires reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. APP 10 requires accuracy and currency.

31 Is multi-factor authentication (MFA) enabled on systems holding personal information?

Yes — all systems Some systems No Unsure

32 How are passwords managed?

33 Are role-based access controls in place so staff only access data relevant to their role?

Yes Partially No

34 Is there an immediate access revocation procedure when staff leave the agency?

Yes — immediate Usually — not documented No formal process

35 Does the agency use CCTV at agency premises or managed properties?

Playbook Risk #8: CCTV requires signposting, lawful installation under state surveillance device laws, and retention limits.

Yes — compliant Yes — gaps identified No CCTV

36 How are physical documents containing personal information stored?

Locked — controlled access Not locked Mostly digital

37 Does the agency have a documented retention and destruction schedule by record type?

Playbook Risk #7: old applicant files, ID copies, and sign-in registers kept indefinitely are a top 10 risk. Unsuccessful applicant data should be destroyed at 3 months.

Yes — documented Informal only No

38 Are unsuccessful tenancy applicant files destroyed within 3 months of a decision?

Yes — 3 months Kept longer Kept indefinitely Unsure

39 Does the agency use BCC (not CC) for bulk or group email communications to avoid inadvertent disclosure of recipient lists?

Playbook Risk #9: a single CC mistake with multiple tenants' emails is a reportable data breach.

Yes — always BCC Usually No formal practice

Section 7 — APPs 12 & 13

Access & Correction

Individuals have the right to access personal information held about them and to request corrections. Responses must be provided within 30 days.

40 Does the agency have a documented process for handling access requests from individuals?

Yes — documented and logged Ad hoc only No process

41 Does the agency verify the identity of a person requesting access before releasing their personal information?

Yes Informally No formal check

42 Has the agency received any access or correction requests in the last 12 months?

Yes — within 30 days Yes — delayed response No requests

Section 8 — NDB Scheme

Data Breach Preparedness

The Notifiable Data Breaches scheme requires assessment within 30 days of suspecting an eligible breach, and notification to the OAIC and affected individuals as soon as practicable.

43 Does the agency have a documented Data Breach Response Plan?

Yes — documented and tested Documented — not tested Informal only No plan

44 Are staff trained to recognise and report a suspected data breach internally?

Yes — all staff Some staff No training

45 Has the agency experienced a data breach or suspected breach in the last 3 years?

Yes — properly handled Yes — not assessed/reported No known breach Possible — unsure

46 Does the agency use secure file sharing or encrypted attachments for sending identity documents, contracts, and other sensitive documents by email?

Playbook Risk #9: unencrypted attachments and email misdirection are leading causes of reportable breaches.

Yes — always Sometimes No — standard email

Section 9 — Governance

Staff, Training & Governance

Effective compliance depends on staff understanding their obligations. Contractual privacy obligations, regular training, and proper onboarding are key governance measures.

47 Have all staff received privacy training in the last 12 months?

Yes — all staff Some staff Over 12 months ago No training

48 Does staff induction cover privacy obligations, including the statutory tort for serious invasions of privacy and criminal doxxing offences?

Yes — covers tort/doxxing General privacy only No

49 Do employment contracts and contractor agreements include privacy and confidentiality obligations?

Yes — all Employees only Some only No

50 Do licensees or property managers operating under the agency's licence have access to the agency's CRM and client data?

Yes — obligations in place Yes — no obligations No licensees

51 Does the agency have a documented privacy complaints process for clients, tenants, and applicants?

Yes — documented Ad hoc No

Section 10 — AML/CTF & Privacy

AML/CTF & Identity Verification

AML/CTF Tranche 2 commenced 1 July 2026. Collection under the AML/CTF Act is authorised under APP 3 but subject to strict purpose limitation under APP 6. CDD records must be retained for 7 years.

⚠️ AML/CTF data may only be used for AML/CTF purposes. Using CDD data (e.g. a passport copy) for any other purpose — including marketing — is an APP 6 breach.

52 Does the agency provide AML/CTF designated services (broadly: acting for buyer or seller in a purchase or sale)?

Yes No Unsure

53 Has the agency completed and had approved by senior management an AML/CTF Program?

Yes — finalised In progress No N/A

54 Has the agency appointed an AML/CTF Compliance Officer?

Yes Yes — same as Privacy Officer No N/A

55 What identity verification method does the agency use for CDD?

Sight and note Photocopy retained Digital service No formal process

56 Is a collection notice provided to individuals at the point of AML/CTF identity verification?

APP 5 requires notification even for legally-authorised collection, unless a Suspicious Matter Report is being filed (tipping-off offence).

Yes No N/A

57 Are staff trained on the tipping-off offence under the AML/CTF Act — specifically, that they must not tell a client if a Suspicious Matter Report has been or will be filed?

Yes No N/A

Section 11 — Documentation

Core Privacy Documents

A review of the core documents every APP entity should have in place, and what has been updated since AML/CTF Tranche 2 commenced.

58 Internal Employee Privacy Handbook — status?

Yes — current Partially covered No

59 Annual Privacy Health Check — when was the last full internal review completed?

Best practice is an annual review, or immediately after any material change — new PropTech, new service line, a breach, or a legislative change.

Within 12 months 1–2 years ago 2+ years ago Never

60 Which of the following have been reviewed or updated since 1 July 2026 to reflect AML/CTF Tranche 2 commencement?

61 Is there anything specific you would like the reviewing lawyer to focus on or flag in your report?

Optional. Do not include any personal information, names, or client details here.

Section 12 — Culture & Risk

Compliance Culture, Risk Culture & Continuous Improvement

Technical compliance is only part of the picture. This section assesses the agency's leadership commitment, risk identification culture, and improvement orientation — factors that determine whether compliance is genuinely embedded or merely documented.

ℹ️ This section is scored separately from the technical compliance assessment. It produces a Culture Rating shown alongside your Compliance Score in your report.

A — Compliance Culture

62 How would you describe leadership's approach to privacy compliance within the agency?

Genuine priority — championed by principal Serious but reactive Minimum standard / tick-box Not actively managed

63 Do staff feel comfortable raising privacy concerns or reporting potential issues without fear of negative consequences?

Yes — open culture Generally — no formal mechanism Uncertain — untested No

64 Is privacy compliance discussed at management or team meetings?

Yes — standing item Occasionally — issue-triggered Rarely Never

65 Are privacy obligations reflected in staff performance expectations or key performance indicators?

Yes — in performance standards Informal expectation only No

B — Risk Culture

66 When a potential privacy risk is identified — a new software platform, a change in practice, a new referral arrangement — how is it typically handled?

Formally assessed before implementation Discussed informally — no documentation Considered after the fact Not typically considered

67 Does the agency have a privacy risk register or any documented record of identified privacy risks?

Yes — maintained and reviewed Informal only No

68 If a staff member accidentally sent a client's personal information to the wrong recipient, what would happen?

This tests whether the agency has internalised breach response as a practice, not just a policy.

Immediate escalation — documented process Tell manager — depends on manager Handle it themselves — no escalation Unsure

69 When new PropTech, CRM platforms, or third-party services are considered, who is responsible for assessing the privacy implications?

Designated role — formal assessment Principal — informal No independent review Nobody

C — Continuous Improvement

70 When the agency experiences a privacy-related complaint, near-miss, or incident, is it formally reviewed to identify what went wrong and how to prevent recurrence?

Yes — root cause documented Discussed — not documented Issue resolved — no review No process

71 Does the agency proactively monitor regulatory changes — OAIC guidance, legislative amendments, AML/CTF updates — and update practices accordingly?

Yes — systematic and prompt Informal monitoring — when convenient Reactive only Not monitored

72 Has the agency ever voluntarily improved a privacy practice — changed a collection form, updated a notice, revised a procedure — without being required to by law or a regulator?

Yes — regularly Occasionally Rarely Only when required

73 Does the agency have a clear plan or roadmap for improving its privacy compliance posture over the next 12 months?

Yes — documented plan Intention only — not documented No plan

📋 Declaration

By submitting this assessment I confirm that: (1) the responses describe the agency's current operational practices and culture to the best of my knowledge; (2) no personal information about any individual has been entered in this form; and (3) I understand this is general compliance guidance only and does not constitute legal advice.

Preparing your assessment…

Your responses are being analysed. Please don't close this tab.

Processing responses
Assessing compliance across all APPs
Calculating risk ratings and scores
Drafting findings and recommendations
Generating your compliance report

Standard Privacy Solutions | Privacy Diagnostic — Real Estate

Sector: Real Estate Agency

Reference: —

Assessment: All 13 APPs + AML/CTF Tranche 2

This Privacy Diagnostic is general compliance guidance only and does not constitute legal advice for your specific circumstances. It is generated by the Standard Privacy Solutions compliance assessment engine and is not a substitute for professional legal advice. For advice tailored to your agency, contact O*NO Legal at privacy@onolegal.com.au or call us to discuss your results.

Ready to fix the gaps?

Your Privacy Diagnostic has identified the areas where your agency needs to act. The next step is getting the right documents in place — a Privacy Policy that reflects your actual practices, Collection Notices at every touchpoint, a Data Breach Response Plan, and your AML/CTF Program if required.

O*NO Legal's document drafting package covers everything your agency needs, assembled from our lawyer-drafted clause library and tailored to your answers — for a flat fee of $999.

Privacy DiagnosticReal Estate Agencies

Privacy Act Applicability

Governance & Privacy Policy

Collection of Personal Information

Use, Disclosure & Marketing

Cross-Border Disclosure & PropTech

Data Security & Retention

Access & Correction

Data Breach Preparedness

Staff, Training & Governance

AML/CTF & Identity Verification

Core Privacy Documents

Compliance Culture, Risk Culture & Continuous Improvement

Ready to fix the gaps?

Privacy Diagnostic
Real Estate Agencies