Real Estate’s Data Reckoning Was Always Coming

In September 2024, I published an article on LinkedIn titled The Cost of Convenience: How Data Mismanagement and Ticket-Clipping Models are Failing Renters. It was written out of growing unease, not hindsight. At the time, the concern was simple but deeply uncomfortable: real estate agencies were quietly becoming some of the largest holders of highly sensitive personal data in Australia, with remarkably little scrutiny to match.

Rental applications had evolved into exhaustive dossiers. Copies of passports and drivers’ licences. Bank statements. Employment contracts. Personal references. Family details. Visa status. Sometimes even social media profiles. Much of this information was collected before any formal contractual relationship existed, often uploaded into opaque third-party platforms, retained indefinitely, and rarely revisited.

What struck me then was not just the volume of data, but the absence of clear accountability.

As I wrote in 2024:

“The property industry likely holds more sensitive data about its clients and customers than almost any other sector. Yet unlike financial services or healthcare, it operates with far fewer controls, limited transparency, and minimal regulatory oversight when it comes to how that data is stored, shared, or retained.”

At the time, this was framed as a warning. Last week, it became news.

In early January 2026, Luca Ittimani, a business and economics reporter for The Guardian Australia, reported that the Office of the Australian Information Commissioner had launched its first targeted privacy compliance sweep of real estate agents and related sectors. The focus is on how personal information is collected, stored, and retained, particularly where there is a clear power imbalance between the data subject and the organisation requesting it.

The regulator’s concern is not abstract. The OAIC has pointed directly to risks of over-collection, excessive retention, and inadequate safeguards, with potential penalties for non-compliance.

This matters, not because enforcement has suddenly appeared, but because it has taken this long.

A sector hiding in plain sight

For years, real estate has existed in a regulatory blind spot when it comes to data governance. It is not treated like a financial institution, despite routinely collecting financial information. It is not regulated like healthcare, despite holding deeply personal records about people’s lives, movements, and vulnerabilities. And it is rarely discussed alongside other high-risk data custodians, despite holding identity data that would be considered toxic if breached.

Part of the problem is cultural. The industry has normalised intrusive data collection as the price of access to housing. When demand is high and supply is scarce, consent becomes theoretical. Applicants comply because the alternative is exclusion.

Another part is structural. Data is often dispersed across CRMs, email inboxes, document-sharing platforms, agent laptops, and vendor systems. Retention policies exist on paper, if at all. Destruction schedules are vague. Auditing is rare. And responsibility is diffuse.

Convenience has won. Governance has lagged.

Why the OAIC move is welcome, but not sufficient

The OAIC’s compliance sweep is an important signal. It acknowledges what many renters, advocates, and privacy professionals have been saying for years: this data deserves stronger protection, clearer limits, and real oversight.

But it is also only a first step.

Compliance sweeps do not, on their own, resolve fundamental design problems. They do not answer questions about proportionality. They do not define what data should never be collected in the first place. They do not address whether third-party rental platforms are operating as data brokers in all but name. And they do not fix the asymmetry that forces individuals to trade privacy for shelter.

More importantly, enforcement after the fact does little for people whose data has already been copied, duplicated, and stored across systems they will never see.

The deeper issue: data minimisation, not just compliance

What this moment calls for is not simply better compliance with existing rules, but a rethink of data practices themselves.

Data minimisation needs to become a lived principle, not a line in a policy. Retention limits need to be explicit, enforced, and auditable. Purpose limitation needs teeth. And organisations that choose to hold sensitive identity data should be expected to meet the same governance standards as other high-risk sectors.

Real estate does not get a pass because it feels familiar or mundane. Housing sits at the centre of people’s safety, stability, and dignity. The data that flows through that system deserves corresponding care.

This was always predictable

The Guardian article did not come out of nowhere. It is the natural consequence of years of unchecked data accumulation in a sector that touches almost every adult Australian at moments of vulnerability.

If there is a lesson here, it is not that regulators are suddenly interested in real estate data. It is that the risks have been visible for a long time.

The question now is whether this moment leads to structural change, or whether it becomes another compliance cycle that leaves the underlying power imbalance intact.

Renters have been paying the cost of convenience for far too many years. For the property industry, the bill has just arrived.

Note: This article reflects on arguments first published by the author in September 2024, in light of recent reporting on the OAIC’s privacy compliance sweep of the real estate sector. A link to the original article and the reference Guardian article can be found in the comments below.

About the Author

Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.

She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.