OAIC to Inspect Personal Data Privacy Practices in Real Estate and Other Sectors
In January 2026, the Office of the Australian Information Commissioner (OAIC) will conduct inspections of 60 businesses across six high-risk sectors, including real estate agencies. These inspections will focus on compliance with personal data privacy requirements. Real estate agents often request extensive tenant data such as months of bank statements, social media details, and even tattoos, and may retain this information longer than necessary.
The OAIC requires businesses to have clear privacy policies specifying data storage durations and any overseas data transfers. Non-compliance with these requirements can result in fines of up to AU$66,000. Other targeted sectors include rental and property inspections, car rentals and dealerships, licensed venues collecting ID information, chemists and pharmacies issuing paperless receipts, as well as pawnshops and secondhand dealers.
OAIC Privacy Commissioner Elizabeth Tydd emphasized the power imbalance in face-to-face data requests that contributes to overcollection and increases privacy risks. Similarly, OAIC Privacy Commissioner Carly Kind warned that excessive data collection and prolonged retention elevate cybersecurity and privacy risks, stressing the need for well-detailed data handling policies.
The real estate sector has experienced notable data breaches in recent years, including incidents at Harcourts and LJ Hooker in 2022. In response, New South Wales introduced restrictions in July 2025 limiting data gathering, as approximately 187,000 pieces of identification information are collected weekly across the state.
The OAIC crackdown will focus on both large firms and smaller franchisees. Some businesses have already enhanced their privacy policies in anticipation of the inspections following the OAIC's mid-December 2025 announcement.
