Why Australia needs to do more to protect tenants' data
08 Dec 2022
Large data breaches recently in Australia have been caused by cyber hacking of data, but the legal collection and use of data, particularly rental data, from people is of concern too. Not only can tenants' personal data be hacked and/or leaked, it can also be used to manipulate them, or even to discriminate against them.
What data is collected in Australia, and how
In Australia landlords and real estate agents legally can ask prospective tenants applying to rent a dwelling to provide proof of their identity; proof of income, such as a payslip or bank statement; past rental records; and personal and work references. This information helps estate agents and landlords to vet and select the tenant that they feel will be best for their property.
Landlords and real estate agents also have legal access to specialist residential tenancy databases (RTDs) operated by private companies. Subscribing agents may list information about a tenant on the database and search the database for information listed by other landlords. RTDs and other private sector organisations are subject to the Australian Privacy Principles under the federal Privacy Act. Information listed on RTDs has to be accurate and accessible to the individual persons concerned, but there are no restrictions on the circumstances in which persons could be listed. As RTDs evolved from negative ‘blacklists’ of tenants, ‘RTD regulation does not really contemplate databases of information listed by tenants themselves’. RTDs are also offering landlords other data on tenants, including ‘packaged searches of its tenancy database with searches of public bankruptcy and court appearance records’ and ‘facilities that allow agents to be alerted when a current tenant makes an application elsewhere’.
Tenant support organisations and media are reporting that private rental market tenants are being asked more personal information than is legally necessary and that prospective tenants are feeling obliged to ‘volunteer’ (i.e. give ‘consent’) this extra information (including tenants' social media presence) to secure a rental tenancy.
For some forms of renting, such as finding a person to share a dwelling, revealing quite personal forms of information (e.g. tolerance for alcohol or drug use, personal philosophy, sexuality etc.) might have occurred previously in an unrecorded interview between potential housemates, now that information may be shared through a third party ‘matching’ website. With the growing advent of online rental and share housing data collection websites the use and storage security of this information is of real concern, particularly as ‘(p)romises that data … will remain anonymous have become dubious as data re-identification has become a sophisticated sub-discipline of computer science’.
Ways Australian renters’ data may be used
Data collected during potential tenants’ applications has other value that data collection companies are able to exploit, even if the identity of the rental applicant is ‘demerged’ from the data. Such data can be used to shape the advertisements that a prospective tenant sees or which parts of an online rental application website they can access, which in turn can affect which properties they can apply for. The data can be used by companies to advertise rental-based financial products such as rental bond loans and bond insurances to specific tenants.
The data can also shape the investment decisions of landlords, giving the data collection website information they can sell back to landlords such as where people earning a particular economic income want to live, what properties are wanted by which social groups, who will be the desired tenants to target and how much rent they are willing to pay for particular housing options. These investment discriminations can have severe impacts on tenants who don’t fit desired models, potentially reducing their rental options or leading to higher rents. The technology has the ability to screen bulk applications and cull applicants based on algorithmic parameters.
The data collected by landlords about their tenants while in the properties can also have value. For example, ‘certain technologies can also be used to monitor the energy use of tenants and discriminate on those grounds’. In a similar way, water usage data may also be collected by landlords. High use tenants may not have their tenancies renewed or when tenants move this data could be made available to their next landlord (at a price?).
Challenges to maintaining security of renters’ data
No matter what data they acquire, estate agents and landlords have legal obligations to manage and store this information so that it is not accessed and used by cyber criminals to create fictious and illegal online personalities (i.e. identity theft). Recent data leaks (in late 2022) from two Australian real estate entities suggests that, in one breach, landlords’ bank details and tenants’ photo identification were revealed to cyber criminals, while in the other property contracts and the names and contact details of some customers were stolen. These examples illustrate the challenges for those collecting and storing rental data, and the need for them to take responsibility to protect it.
Australia could do more to protect renters’ data from being used against them
For Australian policy makers, regulations have to keep up with the ever developing technologies, with some priorities being:
- keeping reasonable limits on data collection and ensuring transparency in its use, including the collection and use of more comprehensive data about tenants other than by RTDs
- examining online access portals and tools, and considering regulatory reform on access to data that may be collected or generated (e.g. trust scores, ratio of applications to tenancies commenced).
Digital housing technologies—and their differential use and regulation—have been found to mediate discrimination across the rental system.
European laws are stronger on data privacy, with the European Union’s General Data Protection Regulation (GDPR) (EU). European data protection law includes:
- limitations on automated decision making and profiling
- a right not to be subject to a purely automated decision that produces legal effects
- a right to meaningful information about the logic involved in an automated decision.
Indeed, although it is an EU law ‘it already imposes obligations on organisations anywhere in the world’ if they are processing personal data harvested in the European Union. Australia could look to that Regulation to guide the augmentation of local data protection laws.
Australia also needs to do more to stop renters’ data being used to discriminate against them. We need responses that are holistic, addressing structural discrimination—with attention to health, energy, social security, labour, transport, climate, ageing, immigration and cyber security policies.