From Vetting to Violations: How Rental Applications Are Changing

A recent privacy determination involving a Sydney real estate agency illustrates how easily routine online interactions can cross regulatory lines. In the case of AQE v Noonan Real Estate Agency Pty Ltd, the Office of the Australian Information Commissioner found that the agency breached the Privacy Act by disclosing a tenant’s personal information while responding to a negative Google review. 

What appeared to be a simple attempt at reputation management became a privacy breach, and a reminder that even small disclosures can carry regulatory consequences.  

This marks the end of the collect everything era. For agencies, the risk is no longer just a tenant failing to pay rent, it’s the regulator knocking on the door to ask why you still have a copy of a rejected applicant's passport from 2023.   

The grid below compares outdated vetting practices with the newer, compliant and lower‑risk approach expected from agencies.  

It outlines where traditional methods create unnecessary exposure, and how a defensively managed model reduces the likelihood of regulatory action or insurance claims. 

This shift matters more now because every extra file increase exposure. Every forgotten folder expands breach fines. And every outdated process becomes a regulator’s red flag.  

Risk One: The Hoarding Trap  

Real estate agencies are, by nature, data hoarders. Successful and unsuccessful applications are often stored in the same cloud folders or email inboxes indefinitely.   

In the 2026 cyber-landscape, this is a cyber-physical catastrophe waiting to happen. If an agency suffers a breach, the fine isn't calculated based on the 100 current tenants; it’s calculated based on the thousands of IDs sitting in neglected archives. The lesson from the 2024–2025 data breaches at major firms is clear: if you don't need it, delete it. 

Risk Two: Proportionality vs. Vetting  

Regulators and tenant advocates have increasingly warned that rental applications are becoming overly intrusive. Requests such as extensive bank statements or unrelated personal information can raise concerns around privacy, fairness, and discrimination if not handled properly. 

Recent reforms to the Residential Tenancies Amendment Act 2024 (NSW); which now require landlords to provide documented reasons when terminating tenancies, reflect a broader policy direction toward greater accountability and fairness in the rental process.  

Risk Three: The Digital ID Divide  

As we move toward 2030, manual verification of identity is increasingly being viewed by insurers as a growing exposure. Professional Indemnity (PI) underwriters are paying closer attention to how agencies collect and store identity documents, particularly where sensitive information such as driver’s licences is retained on internal servers or unsecured systems. In some cases, this exposure is now being addressed through tighter underwriting requirements, exclusions, or sub-limits related to data handling and cyber risk. 

The industry is shifting toward Decentralised ID. Agencies that succeed will be those that use third-party "Zero-Knowledge" platforms where the agency verifies the person but never actually touches or stores the sensitive document.  

Below are some of the steps that your agency can do now to stay up to date with the shift:  

1. Remove unnecessary ID storage and switch to digital verification.  
2. Establish a documented retention policy for unsuccessful applications and delete data once it is no longer required.  
3. Replace excessive requests with proportionate alternatives.  
4. Update application forms to meet privacy expectations.  
5. Audit servers and CRMs for legacy data.  
6. Review PI and cyber cover for privacy‑related sub‑limits.  
7. Train teams on compliant communication.  

Real estate is a high-stakes industry built on trust. But in 2026, trust isn't built by how much you know about a tenant - it’s built by how well you protect what they’ve told you. The agencies that thrive will not be those with the biggest data archives, but those who balance speed of vetting with the foresight of privacy. 

_Disclaimer

_{This article is general information only and does not constitute advice or take into account your objectives, financial situation or needs. Information may reference third-party content; Knightcorp Insurance Brokers does not endorse or accept responsibility for external material. For advice specific to your insurance needs, please contact Knightcorp Insurance Brokers.}