Data security in the settlement industry - Settlement industry bulletin issue 109
9 December 2022
In light of recent Optus and Medibank data breaches, the Department of Energy, Mines, Industry Regulation and Safety – Consumer Protection Division (Consumer Protection) has noted questions about the responsibilities of property industry professionals when it comes to collection and storage of personal information.
Avoiding a similar incident comes down to the security of your business’ systems and practices, including the appropriate management of personal information.
Settlement agents will find themselves collecting personal information in the course of business. This bulletin will outline verification of identity (VOI) requirements and any requirements/recommendations for protecting this information.
What are your VOI requirements?
The Settlement Agents Code of Conduct 2016 (WA) (the SA Code) requires settlement agents to identify their clients as soon as possible before settlement takes place. The requirements of the SA Code are complemented by the Verification of Identity and Authority Practice (the VOI practice) issued by the Western Australian Registrar and Commissioner of Titles.
The VOI practice applies to nominated electronic and paper-based land transactions. Electronic conveyancing is now the standard settlement process in Western Australia.
The VOI practice for electronic transactions (including conveyancing) is set out in the WA Participation Rules Version 6 (the Participation Rules). The Participation Rules require settlement agents to take reasonable steps to verify the identity of the seller and buyer of land.
Retention of evidence
The Participation Rules require evidence supporting the verification of identity, such as certified copies of identity documents, to be kept for at least seven years after lodging the instrument (document, form etc.) the VOI was required with Landgate.
The Registrar and Commissioner of Titles strongly recommends that any certified copies of identity documents are kept in a secure manner to prevent misuse.
Your data security responsibilities under the Privacy Act
If your business has an annual turnover of more than $3 million, it is covered by the Privacy Act 1988 (Cth) (the Privacy Act) which means you must comply with the Australian Privacy Principles.
An organisation covered by the Privacy Act can only collect personal information that is reasonably necessary for its work. The Privacy Act also requires businesses to protect information while they have it, and to destroy or de-identify it when it is no longer required.
A small business is able to ‘opt in’ to the Privacy Act to improve confidence of its customers.
Five simple steps to avoid scams for small businesses
The Australian Competition and Consumer Commission recommends the following steps to avoid scams:
- Inform and educate your staff members about scams. Subscribe to news and alerts from Scamwatch to stay updated.
- Have clear processes in place for verifying and paying accounts, and make sure all staff know about them.
- Ensure your systems have up-to-date anti-virus software. Turn on automatic updates or have an IT professional manage software for you.
- Ensure you use Multi Factor Authentication to log into your system and online services.
- Consider what business information you post on social media and networking sites, as scammers use publicly available information to target businesses.
- Back up your data regularly and store your back-ups offsite and offline. The Australian Cyber Security Centre (ACSC) explains how your business can back up your data.
- Step-by-step guides for basic cyber security measures.
- Guide to backing up and restoring data.
- Exercise in a Box to assess and improve your organisation’s cyber security practices.
Office of the Australian Information Commissioner:
Disclaimer: This bulletin contains general information obtained from internal and external sources to the Western Australian Department of Energy, Mines, Industry Regulation and Safety. While we use our best endeavours to ensure the information is correct and current at the time of publication, changes in circumstances after that time may impact upon the accuracy of the material. The department takes no responsibility for any error, omission or defect therein. It is your responsibility to ensure the information is still correct when applying it to your situation in the future, including seeking independent professional advice.