In light of recent Optus and Medibank data breaches, the Department of Energy, Mines, Industry Regulation and Safety – Consumer Protection Division (Consumer Protection) has noted questions about the responsibilities of property industry professionals when it comes to collection and storage of personal information.

Avoiding a similar incident comes down to the security of your business’ systems and practices, including the appropriate management of personal information.

Real estate agents, sales representatives, property managers and settlement agents will all find themselves collecting personal information in the course of business. This bulletin will outline verification of identity (VOI) requirements by occupation, and any requirements/recommendations for protecting this information.

What are your VOI requirements?

Property managers

Property managers are not required to verify the identity of rental applicants, however it may be in the interest of your client to do so.

Property managers frequently ask for multiple sources of personal information to be provided in rental applications. Given the competition in the market, lots of people are applying for multiple properties, some at the same time. This means your systems are potentially holding large stores of people’s personal data.

If you are asking rental applicants for personal information, ensure that you are taking adequate cyber security precautions to protect it. We are hearing stories about online rental application platforms asking prospective tenants to provide a significant amount of personal information; not all of which would be considered relevant to the tenancy. In Consumer Protection’s view, this trend is very worrying. You should only ask rental applicants for necessary information, and destroy or de-identify it when you don’t need it anymore.

Real estate agents and sales representatives

The Real Estate and Business Agents and Sales Representatives Code of Conduct 2016 (WA) (the REBA Code) provides the VOI requirements for real estate agents and sales representatives who are selling property.

The REBA Code requires agents and sales representatives to take reasonable steps to verify the client’s identity and that they have the authority to sell the property (or act on behalf of the person selling the property). This is to be done before the contract of sale is executed.

The REBA Code does not define what steps need to be taken, other than obtaining a copy of the certificate of title for the name of the registered owner. It is generally up to the individual agent or sales representative to determine that reasonable steps have been taken. The REBA Code does not have any requirements for the retention of VOI documents.

Settlement agents

The Settlement Agents Code of Conduct 2016 (WA) (the SA Code) requires settlement agents to identify their clients as soon as possible before settlement takes place. The requirements of the SA Code are complemented by the Verification of Identity and Authority Practice (the VOI practice) issued by the Western Australian Registrar and Commissioner of Titles.

The VOI practice applies to nominated electronic and paper-based land transactions. Electronic conveyancing is now the standard settlement process in Western Australia.

The VOI practice for electronic transactions (including conveyancing) is set out in the WA Participation Rules Version 6 (the Participation Rules). The Participation Rules require settlement agents to take reasonable steps to verify the identity of the seller and buyer of land.

Settlement agents – Retention of evidence

The Participation Rules require evidence supporting the verification of identity, such as certified copies of identity documents, to be kept for at least seven years after lodging the instrument (document, form etc.) the VOI was required with Landgate.

The Registrar and Commissioner of Titles strongly recommends that any certified copies of identity documents are kept in a secure manner to prevent misuse.

Your data security responsibilities under the Privacy Act

If your business has an annual turnover of more than $3 million, it is covered by the Privacy Act 1988 (Cth) (the Privacy Act) which means you must comply with the Australian Privacy Principles.

An organisation covered by the Privacy Act can only collect personal information that is reasonably necessary for its work. The Privacy Act also requires businesses to protect information while they have it, and to destroy or de-identify it when it is no longer required.

A small business is able to ‘opt in’ to the Privacy Act to improve confidence of its customers.

Five simple steps to avoid scams for small businesses

The Australian Competition and Consumer Commission recommends the following steps to avoid scams:

1. Inform and educate your staff members about scams. Subscribe to news and alerts from Scamwatch to stay updated.
2. Have clear processes in place for verifying and paying accounts, and make sure all staff know about them.
3. Ensure your systems have up-to-date anti-virus software. Turn on automatic updates or have an IT professional manage software for you.
4. Ensure you use Multi Factor Authentication to log into your system and online services.
5. Consider what business information you post on social media and networking sites, as scammers use publicly available information to target businesses.
6. Back up your data regularly and store your back-ups offsite and offline. The Australian Cyber Security Centre (ACSC) explains how your business can back up your data.

Real Estate Institute of Western Australia and Edith Cowan University partnership

Consumer Protection welcomes the recent partnership between the Real Estate Institute of Western Australia (REIWA) and Edith Cowan University’s (ECU) Security Research Institute to support real estate agents manage cyber security risks and protect client information. This action is part of a five-year collaboration following the signing of a Memorandum of Understanding by REIWA and ECU, and Consumer Protection congratulates both organisations on this ground-breaking initiative which will assist those involved in real estate transactions.

Resources

ACSC:

• Step-by-step guides for basic cyber security measures.
• Guide to backing up and restoring data.
• Exercise in a Box to assess and improve your organisation’s cyber security practices.

Office of the Australian Information Commissioner:

• Summary of the Australian Privacy Principles.
• Comprehensive guide to securing personal information

Disclaimer: This bulletin contains general information obtained from internal and external sources to the Western Australian Department of Energy, Mines, Industry Regulation and Safety. While we use our best endeavours to ensure the information is correct and current at the time of publication, changes in circumstances after that time may impact upon the accuracy of the material. The department takes no responsibility for any error, omission or defect therein. It is your responsibility to ensure the information is still correct when applying it to your situation in the future, including seeking independent professional advice.